Sven Morgenroth Talks About PHP Type Juggling on Paul's Security Weekly Podcast

Category: Web Security Readings - Last Updated: Tue, 18 Sep 2018 - by Robert Abela

Watch episode 572 of Paul's Security Weekly, during which one of our Security Researchers, Sven Morgenroth examines data types and PHP Type Juggling Vulnerabilities.

During the show, hosted by Paul Asdoorian, Sven explains:

  • Sometimes when you have different data, you need to compare it. Sven kicked off his presentation by looking at data types in PHP. This is easy when the two pieces of data are of the same type. However, Sven gave an example of what happens if they are not. In his example, in the case of strings and integers, PHP can convert a string to an integer by extracting a number at the beginning of the string. However, even when strings don't contain numbers, Sven demonstrated that PHP still wants to convert it to an integer and so returns weird values, such as zero.
  • At this point, Sven jokes that even Paul may get lost from this point onwards! And, he displays a self-produced type chart of potential PHP Type comparisons whose results look very confusing. For example, an empty array returns 'false', whereas an empty object returns 'true'.
  • The important question Sven poses, though, is: While PHP's loose comparisons comparisons might be strange, is PHP actually insecure? His first point was simply that programming languages should be predictable – obviously and especially in a security-critical context. And, comparisons cannot be avoided; they are everywhere. He goes on to list the serious security vulnerabilities arising from this 'Type Juggling', including Authentication Bypasses, crypto-related flaws and Hashing Algorithm Disclosure, and provides a few examples of each one. You can read an example of an Authentication Bypass in CMS Made Simple.
  • Following Sven's vulnerability demos, they discussed the double equals and triple equals syntax, and Paul noted how this was a great example of how PHP "is very insecure right out of the box". They concluded, though, that PHP developers were surely aware of this and were simply trying to make it easier to write (not necessarily accurate) code, and that other languages probably had similar examples, particularly JavaScript.


Dead accurate, fast & easy-to-use Web Application Security Scanner