PHP Type Juggling Vulnerability Tech Sharing + Challenge
We start off our 1st Div0 Women In Cybersecurity (WICS) technical sharing with our WICS member — Monika Talekar — organising a 2-day weekend event.
On Sat (30 May 2020) afternoon, Monika ran through the ins-and-outs of PHP Type Juggling vulnerability with demos, before releasing 2 hands-on challenges for our WICS members to apply their newly acquired knowledge. Div0 WICS members had ~23 hours to solve the 2 challenges before Monika walkthrough the challenges on Sun (31 May 2020) afternoon.
You can download a copy of Monika's Tech Sharing presentation slides [here].
PHP Type Juggling
PHP does not require or support explicit type definition in variation declaration; a variable's type is determined by the context in which the variable is used. i.e. If a string value is assigned to variable $var, $var becomes a string type. If an integer value is then assigned to $var, it becomes an integer type.
PHP Type Juggling with Scientific Exponential Number Notation
Any time PHP sees a string that starts with any number, followed by the character "e", PHP will evaluate the variable as a number.
Horrifically, when PHP compares 2 strings that look like integers written in scientific notation, and if it begins with "0e", it will be TRUE since 0e(_followed_by_anything_) will always be 0.
PHP Type Juggling with Scientific Exponential Number Notation Vulnerability Demo
Monika demonstrated how a web server that uses hash values comparison for password authentication would allow a string with the hash value of "0e462097431906509019562988736854" as the password when the actual password hash value is "0e990995504821699494520356953734".
How to Avoid PHP Type Juggling Vulnerability
This vulnerability is very easy to avoid. Use strict comparison (i.e. the "===" operator) when performing comparison.
Monika released 2 challenges for Div0 WICS members to solve:
To find a string that begins with "10" and ends with "112" that has a SHA1 hash value beginning with "0e"; and
To find a string that has an MD5 hash value of its SHA1 hash value (with all numbers removed) beginning with "0e".
Congratulations To the Following Div0 WICS Challenge Contenders
We got our Div0 WICS members who managed to solve the challenges to submit writes-up of their attempts. The received the submissions from the following members:
Ariel Ong Yu Xiang
Ng Min Min
Tay Mei Mei
Grace Tan won a copy of the Cyber Risk Leaders authored by Shamane Tan — judged based on time of submission and clarity of the write-up. The book prize was kindly donated by Div0 WICS member Nurul Huda.
Join Div0 WICS
Learn More: https://www.div0.sg/wics
Shout-out to our proud supporters: