PHP Snippet #09
Bookmarked!This challenge covers the review of a snippet of code written in PHP
The Code Review Snippet challenge provides a piece of PHP code that defines a constant key and a function to sign data using HMAC with SHA-256. The script checks whether the $_GET["data"]
and $_GET["signature"]
parameters are set and validates the signature by comparing the HMAC of the data with the provided signature. However, the comparison on line seven uses ==
, which can be exploited due to type juggling. If $_GET["data"]
is an array, hash_hmac
returns NULL, and comparing NULL with an empty string using ==
results in a valid signature.
The issue lies in the fact that the ==
operator in PHP does not check for type equivalency. This allows an attacker to bypass the signature check by setting $_GET["signature"]
to an empty string, making the script believe the signature is valid. Additionally, the comparison method should be constant-time to prevent brute-force attacks. Understanding these nuances helps in identifying and mitigating such vulnerabilities in PHP applications.