0xma Cyber Security Articles

May 4, 2022

PHP Type Juggling

In this tutorial, we will see how to perform PHP type juggling. We will see how to take parameters from the GET request and send it as JSON in the body of the GET request. Using this technique, we will be able to access data in an unintended way.

This is the main page of the web application. Clicking on "View", displays some data about that particular user.

Main page of the web application.

Clicking on the "View" button triggers a function called "getBio".

Viewing the source of the main page.

This function sends a GET request to "api/getprofile".

JavaScript function that is triggered when clicking on the View button.

Capturing the GET request shows that it contains two parameters: id and secret.

Capturing the HTTP request in Burp Suite.

It displays some data about the user called "big0us".

Displaying some random data about a user.

Clicking on the second user sends a different "id" and "secret".

Capturing the HTTP request for the second user in Burp Suite.

And it displays some info related to the second user.

Displaying some random data about the second user.

Let's send one of these GET requests to Burp Repeater.

Sending a GET request to Burp Repeater.

This is the default response to a valid request.

Sending a HTTP request through Burp Repeater.

Right-click on the request and click on "Change request method".

Changing the request method from GET to POST.

Sending the request as a POST results in a "405 Method Not Allowed".

Sending the request as a POST.

Let's change the POST to GET but keep the "id" and "secret" in the body. This results in "422 Unprocessable Content" response.

Changing the request back to GET.

The next step is to change the contents of the body to JSON. I have also added a new header: Content-Type: application/json. This seems to work because we get the data related to the first user.

Sending the request body as JSON.

Let's try to retrieve data for the second user by changing the ID. However, it detects that the input has been tampered. It is because each user has its own particular hash.

Trying to access data of a different user.

However, changing the value of "secret" to "true" seems to work. And it displays data related to the second user. Using PHP juggling attack can allow us to perform many unintended actions and gain access to data that we are not supposed to have, bypass login restrictions, etc.

Performing PHP juggling attack by using true for the secret value.

If you liked reading this article, you can follow me on Twitter: mujtabareads.