Type Juggling

What is Type Juggling

PHP is a loosely typed language, which means it tries to predict the programmer's intent and automatically converts variables to different types whenever it seems necessary. For example, a string containing only numbers can be treated as an integer or a float. However, this automatic conversion (or type juggling) can lead to unexpected results, especially when comparing variables using the '==' operator, which only checks for value equality (loose comparison), not type and value equality (strict comparison).

Video Explaination

How to find it

During the code review in PHP applications look for if statements which do not check the type of variable:

Vulnerable code:

if ($variable == $variable_2) {
    // code
}

Not vulnerable code:

if ($variable === $variable_2) {
    // code
}

Changing the parameter type

When it comes to PHP applications they are usually written in Laravel framework. Laravel has Middleware API which is able to handle submitted data both as a parameter and in request body as JSON.

Importance of this information lies in fact that during the JSON submittion we can specify the parameter type which cannot be done while sending the regular parameter in URL.

Attacker can be able deliver boolean instead of string in this way which can cause application misbehaviour leading to some serious vulnerability.

Payload creation

The table below will help you in crafting the payload. It contains the PHP true statements which can be used during the type juggling vulnerability.

Statement	Output
'0010e2' == '1e3'	true
'0xABCdef' == ' 0xABCdef'	true (PHP 5.0) / false (PHP 7.0)
'0xABCdef' == ' 0xABCdef'	true (PHP 5.0) / false (PHP 7.0)
'0x01' == 1	true (PHP 5.0) / false (PHP 7.0)
'0x1234Ab' == '1193131'	true (PHP 5.0) / false (PHP 7.0)
'123' == 123	true
'123a' == 123	true
'abc' == 0	true
'' == 0 == false == NULL	true
'' == 0	true
0 == false	true
false == NULL	true
NULL == ''	true