PHP Snippet #08

This challenge covers the review of a snippet of code written in PHP

< 1 Hr.


The Code Review Snippet challenge in PentesterLab provides a small snippet of PHP code with a vulnerability. This particular lab involves a function that signs data using `hash_hmac` with SHA-256. The code checks if a provided data parameter and its corresponding signature match using a strict comparison.

The vulnerability arises because `hash_hmac` returns `NULL` when the input data is an array. An attacker can exploit this by passing an array as the data parameter and omitting the signature parameter, leading to a `NULL === NULL` comparison. This bypasses the signature verification, allowing unauthorized access. A more secure approach would be to use a constant-time comparison function to prevent brute-force attacks on the signature.

Want to learn more? Get started with PentesterLab Pro! GO PRO