Burp Suite User Forum

Create new post

Update "Insecure deserialization" topic

Matvey | Last updated: Apr 03, 2024 09:36AM UTC

I was reading the "Modifying data types" (https://portswigger.net/web-security/deserialization/exploiting#modifying-data-types) section of the topic and tried to test the comparison operator in a PHP sandbox online, the "0" == "Example string" example in particular. I got a bit confused as the results did not match with what was said in the text. Turns out, comparison operator's behavior was changed in PHP 8 and the previously mentioned example now returns 'false' instead of 'true'. Perhaps it's worth adding a note so that readers would be aware that the provided examples' results may vary depending on the PHP version used in the application?

Hannah, PortSwigger Agent | Last updated: Apr 03, 2024 04:12PM UTC

Hi. Thanks for highlighting this. Are these the differences that you are referring to? - https://www.php.net/manual/en/migration80.incompatible.php

Matvey | Last updated: Apr 08, 2024 12:53PM UTC

Sorry for a long response. Yeah, I was talking about these differences.

Hannah, PortSwigger Agent | Last updated: Apr 10, 2024 11:44AM UTC

Thanks for that information! We'll raise a request to update the information around this topic with the changes. If there's anything else we can help with, then please let us know.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.