• Div0 Blog Editor

PHP Type Juggling Vulnerability Tech Sharing + Challenge

We start off our 1st Div0 Women In Cybersecurity (WICS) technical sharing with our WICS member Monika Talekar — organising a 2-day weekend event.


On Sat (30 May 2020) afternoon, Monika ran through the ins-and-outs of PHP Type Juggling vulnerability with demos, before releasing 2 hands-on challenges for our WICS members to apply their newly acquired knowledge. Div0 WICS members had ~23 hours to solve the 2 challenges before Monika walkthrough the challenges on Sun (31 May 2020) afternoon.


You can download a copy of Monika's Tech Sharing presentation slides [here].

PHP Type Juggling

PHP does not require or support explicit type definition in variation declaration; a variable's type is determined by the context in which the variable is used. i.e. If a string value is assigned to variable $var, $var becomes a string type. If an integer value is then assigned to $var, it becomes an integer type.


PHP Type Juggling with Scientific Exponential Number Notation

Any time PHP sees a string that starts with any number, followed by the character "e", PHP will evaluate the variable as a number.


Horrifically, when PHP compares 2 strings that look like integers written in scientific notation, and if it begins with "0e", it will be TRUE since 0e(_followed_by_anything_) will always be 0.


PHP Type Juggling with Scientific Exponential Number Notation Vulnerability Demo

Monika demonstrated how a web server that uses hash values comparison for password authentication would allow a string with the hash value of "0e462097431906509019562988736854" as the password when the actual password hash value is "0e990995504821699494520356953734".


How to Avoid PHP Type Juggling Vulnerability

This vulnerability is very easy to avoid. Use strict comparison (i.e. the "===" operator) when performing comparison.


The Challenges

Monika released 2 challenges for Div0 WICS members to solve:

  1. To find a string that begins with "10" and ends with "112" that has a SHA1 hash value beginning with "0e"; and

  2. To find a string that has an MD5 hash value of its SHA1 hash value (with all numbers removed) beginning with "0e".

Congratulations To the Following Div0 WICS Challenge Contenders

We got our Div0 WICS members who managed to solve the challenges to submit writes-up of their attempts. The received the submissions from the following members:

  • Akshaya Venkatesh

  • Ariel Ong Yu Xiang

  • Grace Tan

  • Ng Min Min

  • Tay Mei Mei

Grace Tan won a copy of the Cyber Risk Leaders authored by Shamane Tan — judged based on time of submission and clarity of the write-up. The book prize was kindly donated by Div0 WICS member Nurul Huda.

Join Div0 WICS

Learn More: https://www.div0.sg/wics

Shout-out to our proud supporters:

 
  • Facebook
  • Twitter
  • YouTube

Contact Us

Terms of Use | Code of Conduct

All rights reserved.

Division Zero (Div0) © 2017-2020.

Edgis © 2011-2017.