Type Juggling - PHP

What's wrong ?

MD5 (deprecated cryptographic hash functions)
Loose comparison

That's all ?

How to pwned it ?

Try with a default password:

$ src/cli.php --password p4ssW0rD

Your are not authorized.

Try with "240610708" as password

$ src/cli.php --password 240610708

What do you should know ?

Type Jugling and String conversion to numbers
Magic Hashes are strings which will be evaluated as float (exponational notation with e)
Loose comparison is weird with float

How to secure it ?

strict comparison (not enought, what about timming attack ?)
use password_hash(), password_verify() or hash_equals(). these functions are constant time. This makes it safe against timing attacks.
Use modern hash function such as argon2, scrypt or bcrypt.

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
src		src
LICENSE		LICENSE
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

Type Juggling - PHP

What's wrong ?

How to pwned it ?

What do you should know ?

How to secure it ?

About

Uh oh!

Releases

Packages

Languages

License

0xdbe-appsec/type-juggling-php

Folders and files

Latest commit

History

Repository files navigation

Type Juggling - PHP

What's wrong ?

How to pwned it ?

What do you should know ?

How to secure it ?

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages