back
loading skill details...
>-
SKILL: PHP Type Juggling — Weak Comparison & Magic Hash Bypass AI LOAD INSTRUCTION: PHP == coercion, magic hashes (0e…), HMAC/hash loose checks, NULL from bad types, and CTF-style strcmp / json_decode / intval tricks. Use strict routing: map the sink (== vs hash_equals), PHP major version, and whether both operands are attacker-controlled. Routing note: when you encounter PHP login/signature logic or code like md5($_GET['x'])==md5($_GET['y']), start with this skill; if hash_equals/=== is already used, this path usually does not apply. 0. QUICK START First-pass goal: prove the server branch treats unequal secrets/tokens as equal via coercion, not guess the real password. First-pass payloads (auth / token shape)
don't have the plugin yet? install it then click "run inline in claude" again.