Task 1: Loose comparison

We have seen in class that loose comparison == of PHP equates (different) values of different types, i.e., values are the same after type juggling.

Comparing integers and strings

When a string is compared with an integer the string is converted into an integer. For example:

"0000" == 0  TRUE
"0e12" == 0  TRUE   exponential notation!
"1e12" == 1  FALSE  exponential notation!

and for PHP up to version 7.x we also have

"1a12" == 1  TRUE   integer is cut to 1
"0abc" == 0  TRUE   integer is cut to 0
"abc"  == 0  TRUE   no digits, converted to 0

Comparing strings that look like integers

When two strings look like integers, PHP converts them into integers during comparison. For example:

"0e12" == "0e34"   TRUE exponential notation
"1e12" >= "2"      TRUE exponential notation
"1e12" >= "b"      FALSE lexicographic order ("b" does not look like an integer)
"0e12" == "0"      TRUE exponential notation
 0xF   == "15"     TRUE
"0xF"  == "15"     FALSE since version 7.0! (before, it was true!) 

From these example we notice that type juggling in loose comparison introduces unpredictable behaviours that might be exploited by an attacker to modify the application control-flow.

Exercise

WeChall is a great, classic resource with a lot of security challenges! Behave correctly and do not post your solutions on the Web

Try to solve the WeChall challenge php0818. The magic number you enter to solve the challenge (lowercase…) is your password for Task 2!

Hint: analyse function noother_says_correct($number). You need to make the loose comparison in the return instruction true!