From 3bca1997f5571d71651ee958b3494dbe071b51de Mon Sep 17 00:00:00 2001 From: wstgbot <62450690+wstgbot@users.noreply.github.com> Date: Mon, 15 Jun 2026 15:25:26 +0000 Subject: [PATCH] Publish Latest 2026-06-15 Updates based on OWASP/wstg@c68e2ad --- ...ing_for_Bypassing_Authentication_Schema.md | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/04-Testing_for_Bypassing_Authentication_Schema.md b/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/04-Testing_for_Bypassing_Authentication_Schema.md index 15f4751..349db09 100644 --- a/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/04-Testing_for_Bypassing_Authentication_Schema.md +++ b/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/04-Testing_for_Bypassing_Authentication_Schema.md @@ -124,6 +124,41 @@ Let's disassemble what we did in this string: 1. `autologinid` is now a boolean set to `true`: this can be seen by replacing the MD5 value of the password hash (`s:32:"8b8e9715d12e4ca12c4c3eb4865aaf6a"`) with `b:1` 2. `userid` is now set to the admin ID: this can be seen in the last piece of the string, where we replaced our regular user ID (`s:4:"1337"`) with `s:1:"2"` +### PHP Magic Hashes + +A similar issue can occur in PHP when hashes are are loosely compared, and end up being evaluated as numbers. + +PHP supports the use of [scientific notation](https://en.wikipedia.org/wiki/Scientific_notation) for numbers, so the number `2e4` is treated as "two times ten to the power of four", which equals 20,000. Similarly, a number such as `0e4` would be "zero times ten to the power of four", which equals zero. Because zero times anything is zero, this means that an comparison such as `0e2 == 0e3` would evaluate to true, because both sides equal zero. + +This can be exploitable where two password hashes are compared, and both of them are in the form of string of zeros, the letter "e", and then a string of numbers. Consider the following code: + +```php + Note: This also implies that passwords are either being stored in plain text, or using reversible encryption. + +Testing is simple: try and login to an account with a password that is incorrect, but is the same length as a valid one. + ## Tools - [WebGoat](https://owasp.org/www-project-webgoat/)