commit
c52cfb1200
|
@ -5,6 +5,8 @@ PHP provides two ways to compare two variables:
|
||||||
- Loose comparison using `== or !=` : both variables have "the same value".
|
- Loose comparison using `== or !=` : both variables have "the same value".
|
||||||
- Strict comparison using `=== or !==` : both variables have "the same type and the same value".
|
- Strict comparison using `=== or !==` : both variables have "the same type and the same value".
|
||||||
|
|
||||||
|
PHP type juggling vulnerabilities arise when loose comparison (== or !=) is employed instead of strict comparison (=== or !==) in an area where the attacker can control one of the variables being compared. This vulnerability can result in the application returning an unintended answer to the true or false statement, and can lead to severe authorization and/or authentication bugs.
|
||||||
|
|
||||||
## Type Juggling
|
## Type Juggling
|
||||||
|
|
||||||
### True statements
|
### True statements
|
||||||
|
@ -101,4 +103,4 @@ var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
|
||||||
|
|
||||||
* [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
|
* [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
|
||||||
* [Magic Hashes - WhieHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
|
* [Magic Hashes - WhieHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
|
||||||
* [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf)
|
* [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf)
|
||||||
|
|
Loading…
Reference in New Issue