Some PHP Insecurity Challenges

R3zk0n Β· October 2, 2025

API   CTF   Evasion   Security
Contents

    Type-Casting to String Bypass

    • Bypass integer type using string

    image

    hash_hmac Array() Bypass

    • Setting array() when expecting string type
    • hash_hmac value will result to NULL
    • Remove other parameter to also equal to NULL

    image

    • Loose comparison between NULL and β€œβ€ can also bypass

    image

    • Other Resources:
      • https://ctftime.org/writeup/8573
      • https://securify.nl/blog/spot-the-bug-challenge-2018-warm-up/

    Insecure Regex

    • Need to use $ to end the string
    • Array() can also cause failure to compare: https://bugs.php.net/bug.php?id=69274

    image

    In_array() loose comparison

    • in_array() without third variable is a loose comparison

    image

    Escaping HTML filters

    image

    PHP Type Juggling Vulnerability

    image

    Using β€œ==” is loose comparison in PHP, all we need is to set password={β€œpassword”:True} to successfully login.

    image

    String comparison using 0xFF

    HTTP Response Splitting in PHP

    image

    Twitter, Facebook