This weakness occurs when a program compares values of different types without proper type checking or conversion, allowing the language's type coercion rules…
This weakness occurs when a program compares values of different types without proper type checking or conversion, allowing the language's type coercion rules to produce unexpected results. An attacker can exploit loose type comparisons to bypass authentication checks, validation logic, or access controls by supplying input that coerces to a "truthy" or matching value in an unintended way.
02How It Happens
Most programming languages have implicit type coercion rules that attempt to convert values to a common type before comparison. When a developer relies on these automatic conversions without explicitly validating or casting types, the comparison may succeed or fail in ways the developer did not anticipate. For example, comparing a string to an integer, or a string to a boolean, may trigger coercion that treats "0" as false, "admin" as true, or "123abc" as the integer 123. An attacker who understands these coercion rules can craft input that passes a security check by accident.
03Real-World Impact
Type confusion vulnerabilities can lead to authentication bypass (e.g., logging in without a valid password), authorization bypass (e.g., gaining admin privileges), or validation bypass (e.g., uploading a malicious file by disguising its type). The severity depends on what decision the flawed comparison guards; a loose comparison in a login function is critical, while one in a non-security context may be low-risk.
04Vulnerable & Fixed Patterns
Vulnerable pattern
def check_user_role(user_input, admin_id):
# Vulnerable: comparing string input directly to integer
if user_input == admin_id:
return "Admin access granted"
return "User access only"
# Attacker supplies "0" as user_input; in some contexts, "0" == 0 may be True
result = check_user_role("0", 0)
Why it's vulnerable: Python's == operator will coerce "0" and 0 to a common type in certain contexts, or the attacker may exploit the fact that the function does not validate that user_input is actually an integer before comparison.
<?php
function verify_token($user_token, $valid_token) {
// Vulnerable: loose comparison allows type coercion
if ($user_token == $valid_token) {
return "Token valid";
}
return "Token invalid";
}
// Attacker supplies "0"; if $valid_token is also "0" or coerces to 0, comparison succeeds
echo verify_token("0", 0);
?>
Why it's vulnerable: PHP's == operator performs type juggling; "0" == 0 evaluates to true, and in some cases "0" == false also evaluates to true. This can allow unintended matches.
Fixed pattern
<?php
function verify_token($user_token, $valid_token) {
// Fixed: strict comparison prevents type coercion
if ($user_token === $valid_token) {
return "Token valid";
}
return "Token invalid";
}
// Strict comparison: "0" === 0 is false; "0" === "0" is true
echo verify_token("0", "0");
?>
05Prevention Checklist
Use strict equality operators (=== in PHP/JavaScript, is for identity in Python) whenever comparing security-sensitive values.
Explicitly validate and convert user input to the expected type before any comparison; do not rely on implicit coercion.
Avoid comparing values of fundamentally different types (e.g., string to integer) in authentication, authorization, or validation logic.
Use type hints or static analysis tools to catch type mismatches during development.
Document the expected type of each variable and enforce it at function entry points.
Test edge cases: empty strings, "0", null, false, and other values that may coerce unexpectedly in your language.
06Signs You May Already Be Affected
Review authentication and authorization functions for loose comparisons (== in PHP, == in JavaScript, or implicit coercion in Python). Check logs for unexpected successful logins or privilege escalations with unusual input patterns (e.g., numeric strings where integers were expected, or vice versa). If you find a function that compares user-supplied input directly to a hardcoded value without type validation, that is a red flag.