• PHP has a feature called “type juggling”, or “type coercion”, where PHP converts two different variable types into a common type.
• Let's take a look in the example below:

("8 cats" == 8) -> True

• PHP attempts to extract the integer from the string, so the comparison will be True.
• If we compare a string to without a integer and a integer type, the string is converted to 0.

(“cats” == 0) -> True

• "Zero-like" - an expression that PHP will loosely compare to int(0)
• Mostly used to bypass authentication
• This is not always exploitable and often needs to be combined with a deserialization flaw because HTTP parameters and cookie values are, mostly, passed as strings or arrays into the application.
• Type juggling issues can be exploited if the application takes accepts the input via functions like json_decode() or unserialize(). This way, it would be possible for the end-user to specify the type of input passed in.

PHP Magic Hashes

• Well known specific hashes used to exploit Type juggling attacks in php.
• Passwords hashes in PHP are base16 encoded

Defenses

• use strict comparison operators (===)
• Specify the “strict” option for comparisons functions

References

• https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09
• http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html
• https://www.whitehatsec.com/blog/magic-hashes/
• https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf