php-type-juggling-type-confusion
PHP Type Juggling (Type Confusion)
PHP Type Juggling, also known as Type Confusion, is a vulnerability caused by PHP’s loose comparison system (==), where variables of different types are automatically converted before comparison.
This behavior can allow attackers to bypass authentication, authorization, and security checks by manipulating data types instead of values.
PHP automatically converts strings, numbers, booleans, and nulls during loose comparisons.
Why PHP Is Vulnerable
PHP is a loosely typed language, meaning variables do not have fixed types. When using:
== // loose comparison
PHP attempts to convert both operands to a common type before comparing them.
This can lead to unexpected “true” evaluations.
Dangerous Comparisons
| Comparison | Result | Reason |
|---|---|---|
"0" == 0 | true | String → int |
"abc" == 0 | true | Non-numeric string → 0 |
NULL == false | true | NULL → false |
"0e123" == "0e456" | true | Both treated as scientific notation |
"123abc" == 123 | true | Partial numeric conversion |
Boolean Confusion
| Value | Evaluates To |
|---|---|
"false" | true |
" " | true |
"0" | false |
"abc" | true |
Known Magic Hashes
| Input | Hash Type |
|---|---|
240610708 | MD5 → 0e462097431906509019562988736854 |
QNKCDZO | MD5 → 0e830400451993494058024219903391 |
aabg7XSs | SHA1 → 0e087386482136013740957780965295 |
Example
Authentication Bypass
If the source code is:
if ($_POST['password'] == $stored_hash) {
login();
}
and If $stored_hash of any user is:
0e462097431906509019562988736854
An attacker can use:
0e999999999999999999999999999999
PHP evaluates:
"0e..." == "0e..."
Both become 0 (scientific notation) and Authentication bypassed.
Authorization Bypass
If the vulnerable code is:
if ($_GET['is_admin'] == true) {
grantAdmin();
}
Then all of the following payloads works:
is_admin=1
is_admin=true
is_admin=abc
All evaluate to true in loose comparisons.