Div0 Blog Editor
May 30, 20202 min
We start off our 1st Div0 Women In Cybersecurity (WICS) technical sharing with our WICS member — Monika Talekar — organising a 2-day weekend event.
On Sat (30 May 2020) afternoon, Monika ran through the ins-and-outs of PHP Type Juggling vulnerability with demos, before releasing 2 hands-on challenges for our WICS members to apply their newly acquired knowledge. Div0 WICS members had ~23 hours to solve the 2 challenges before Monika walkthrough the challenges on Sun (31 May 2020) afternoon.
You can download a copy of Monika's Tech Sharing presentation slides [here].
PHP does not require or support explicit type definition in variation declaration; a variable's type is determined by the context in which the variable is used. i.e. If a string value is assigned to variable $var, $var becomes a string type. If an integer value is then assigned to $var, it becomes an integer type.
Any time PHP sees a string that starts with any number, followed by the character "e", PHP will evaluate the variable as a number.
Horrifically, when PHP compares 2 strings that look like integers written in scientific notation, and if it begins with "0e", it will be TRUE since 0e(_followed_by_anything_) will always be 0.
Monika demonstrated how a web server that uses hash values comparison for password authentication would allow a string with the hash value of "0e462097431906509019562988736854" as the password when the actual password hash value is "0e990995504821699494520356953734".
This vulnerability is very easy to avoid. Use strict comparison (i.e. the "===" operator) when performing comparison.
Monika released 2 challenges for Div0 WICS members to solve:
To find a string that begins with "10" and ends with "112" that has a SHA1 hash value beginning with "0e"; and
To find a string that has an MD5 hash value of its SHA1 hash value (with all numbers removed) beginning with "0e".
We got our Div0 WICS members who managed to solve the challenges to submit writes-up of their attempts. The received the submissions from the following members:
Akshaya Venkatesh
Ariel Ong Yu Xiang
Grace Tan
Ng Min Min
Tay Mei Mei
Grace Tan won a copy of the Cyber Risk Leaders authored by Shamane Tan — judged based on time of submission and clarity of the write-up. The book prize was kindly donated by Div0 WICS member Nurul Huda.
Learn More: https://www.div0.sg/wics
Shout-out to our proud supporters:
ICE71 (https://ice71.sg/)
Centurion Information Security (https://centurioninfosec.sg/)
Singapore Computer Society (SCS) (https://www.scs.org.sg/index.php)
CodingGirls (https://codinggirls.sg/)
Women Who Code Singapore (https://www.womenwhocode.com/singapore)