exploiting-type-juggling-vulnerabilities

# Exploiting Type Juggling Vulnerabilities ## When to Use - When testing PHP web applications for authentication bypass vulnerabilities - During assessment of password comparison and hash verification logic - When testing applications using loose comparison (== instead of ===) - During code review of PHP applications handling JSON or deserialized input - When evaluating input validation that relies on type-dependent comparison ## Prerequisites - Understanding of PHP type system and loose comparison behavior - Knowledge of magic hash values (0e prefix) and their scientific notation interpretation - Burp Suite for request manipulation and parameter type changing - PHP development environment for testing payloads locally - Collection of magic hash strings from PayloadsAllTheThings - Ability to send JSON or serialized data to control input types > **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. ## Workflow ### Step 1 — Identify Type Juggling Candidates ```bash # Look for PHP applications with: # - Login/authentication forms # - Password comparison endpoints # - API endpoints accepting JSON input # - Token/hash verification # - Numeric comparison for access control # Check if application accepts JSON input (allows type control) curl -X POST http://target.com/api/login \ -H "Content-Type: applicati...