Type Confusion Anti-Pattern
Severity: High
Summary
Programs misinterpret data types through loose comparisons, implicit coercion, or improper input handling. Attackers exploit type confusion in weakly-typed languages (JavaScript, PHP) and dynamic data structures (JSON) to bypass security checks, manipulate logic, or achieve code execution.
The Anti-Pattern
The anti-pattern is using loose equality (==) or trusting incoming data types without explicit validation.
BAD Code Example
// VULNERABLE: Loose equality comparison in authentication.
function checkAdminAccess(userId) {
// Expected: userId is string "123".
// Attacker input: userId is number 0.
// JavaScript: "0" == 0 evaluates to true (type coercion).
if (userId == 0) { // Loose equality
return true; // Grants admin access if userId is "0" or 0.
}
return false;
}
// Scenario 1: userId = "0" (string) gains admin access.
// Scenario 2: userId = 0 (number) bypasses the check.
// PHP example: "0e12345" == "0e56789" (both evaluate to 0).
// If password hash starts with "0e", attacker provides another
// hash starting with "0e" to bypass authentication.
GOOD Code Example
// SECURE: Strict equality and explicit type validation.
// Option 1: Strict equality (===) checks both value AND type.
function checkAdminAccessSecure(userId) {
// "0" === 0 evaluates to false.
if (userId === 0) {
return true;
}
return false;
}
// Option 2: Explicitly validate input type.
function processProductId(productId) {
// Ensure productId is string matching expected format.
if (typeof productId !== 'string' || !/^\d+$/.test(productId)) {
throw new Error("Invalid product ID format.");
}
// Safe to use productId with known type and format.
return parseInt(productId, 10);
}
Detection
- Code Review:
- Loose equality operators: Search for
==in JavaScript or PHP code (prefer===). - Implicit type conversions: Look for contexts where a variable of one type might be implicitly converted to another, especially when performing comparisons or operations.
- Dynamic language features: Be cautious with how user-provided data is used in contexts where the language might automatically infer or coerce types.
- Loose equality operators: Search for
- Input Validation: Check if all incoming user input (JSON body, query parameters, form data) is explicitly validated for its expected data type before being processed.
- Dynamic Queries: Review code that constructs queries for NoSQL databases (like MongoDB) or other systems using user input. Attackers can often inject operators (
$gt,$ne) by changing the input's type from a string to an object.
Prevention
- Use strict equality: In JavaScript/PHP, always use
===instead of==. - Validate input types explicitly: Check and enforce expected types before using user data. Safely convert integers and validate ranges.
- Use schema validation: For JSON APIs, use validation libraries (JSON Schema, Joi, Pydantic) that strictly enforce types and formats.
- Protect NoSQL queries: Avoid embedding user-controlled objects in queries. Sanitize or allowlist specific field-value pairs to prevent operator injection.
- Understand language type juggling: Know how your language handles type conversions and stay vigilant where this enables exploits.
Related Security Patterns & Anti-Patterns
- Missing Input Validation Anti-Pattern: Type validation is a fundamental part of comprehensive input validation.
- Integer Overflow Anti-Pattern: A specific type of numeric issue that can arise from unexpected type handling.
- NoSQL Injection: Type confusion is a common vector for exploiting NoSQL databases.
References
- OWASP Top 10 A05:2025 - Injection
- OWASP GenAI LLM05:2025 - Improper Output Handling
- OWASP API Security API8:2023 - Security Misconfiguration
- CWE-843: Access of Resource Using Incompatible Type
- CAPEC-153: Input Data Manipulation
- PHP Type Juggling (OWASP)
- NoSQL Injection Testing (OWASP)
- Source: sec-context