Sent on

Yes, you do still need to worry about Type Juggling!


Hey there,

PHP is known for its loose types and type juggling, and in my opinion, this is one of its super-powers. However, it can also be a massive weakness if you're not careful with how you handle user input. Even with the changes in PHP 8.0, which changed loose comparisons between numbers and non-numeric strings from automatically comparing them as numbers to treating them both as strings, it's still possible under the right conditions to abuse type jugging within PHP (and Laravel!) applications.

I'm not even talking about theoretical attacks, I recently earned a top-prize bug bounty in a well known Laravel application by exploiting a trivial type juggling vulnerability! It took me a total of 5 minutes to find and exploit to gain full access to their entire database...

So yes, you do DEFINITELY need to worry about Type Juggling! 😱

This is why I'm very excited to announce the latest Practical Laravel Security module on Type Juggling is now live!

If you've already signed up, go check it out here.

What's covered?

There are four new challenges included as part of this new module:

  1. Bypassing Passwords with Integers!
    Learn how type juggling worked before PHP 8.0, in case you're still supporting legacy apps, and to give you a good grounding for how it works before things start getting complicated.

  2. Magic Hashes!
    A lesson in why loose comparisons, even between strings, can be potentially catastrophic... Seriously, this is both nerdy-cool and terrifying. Thanks PHP... 😱

  3. JSON Makes This Easy!
    Because JSON makes everything better, easier, and safer, right? Yeah... nope. JSON actually makes type jugging incredibly easy. So you really need to know this bit!

  4. What About Serialization?
    JSON isn't the only method of serialising/encoding complex data into a string, and this challenge is a cheeky example of another way to abuse type juggling as a fun way to finish off the module.

Once you've finished the challenges and learnt how to abuse Type Juggling, you can move on to the new Defence: Strict/Secure Comparisons module!

In this module, we go through the different strict and secure comparison options available to us as PHP developers. If you're not doing these things, your site may be vulnerable... so this is a must-read.

Ready to get started?

If you've already signed up for Practical Laravel Security, you can find the new module here.

If you haven't signed up yet, you can get immediate access to this module - and all of the previous modules - at the discounted Early-Access price!

You'll get access to:

  1. 5 Attack Modules, with 28 interactive challenges, plus all new modules when they are released.
    Current modules: XSS, CSRF, SQLi, Missing Authorisation, and Type Juggling

  2. 11 Defence Modules covering all of the attacks, with more coming soon.
    Current modules: Escaping Output, HTML and Markdown, CSRF Tokens, SameSite Cookies, Cross-Origin Resource Sharing (CORS), Parameterisation Parameterisation, Authorisation Policies, Authorisation Gates, Signed URLs, HMAC Hashes, and Strict/Secure Comparisons

  3. Exclusive Discord Server
    Ask security questions, chat about security topics, and get some help with the challenges if you're stuck!

I'm building up momentum to get the rest of the course finished, so this discounted Early-Access price won't be around forever.

Sign Up Here!

I also have Teams Licences available - also at a discounted Early-Access rate - so reach out if you'd like to give your whole team access. (Or forward this to your team leader daily until they give in and buy it for you!)

What's next?

The next module on my list is Injection Attacks, which means RCE, LFI, PHP Object Deserialization, etc. I'm planning to have it out around this time next week!

I have some really cool challenges planned - which I somehow need to make safe so you don't actually hack my server! So keep an eye out for that, I'm very excited by those challenges.

I hope the rest of your week is awesome!

Thanks,
Stephen