The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.

How is CWE-486 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-486?

Exploiting CWE-486 can lead to: Execute Unauthorized Code or Commands.

CWE-486: Comparison of Classes by Name

Use class equivalency to determine type. Rather than use the class name to determine if an object is of a given type, use the getClass() method, and == operator.

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

In this example, the expression in the if statement compares the class of the inputClass object to a trusted class by comparing the class names.

Vulnerable example

java

if (inputClass.getClass().getName().equals("TrustedClassName")) {

Safe example

java

if (inputClass.getClass() == TrustedClass.class) {

However, multiple classes can have the same name therefore comparing an object's class by name can allow untrusted classes of the same name as the trusted class to be use to execute unintended or incorrect code. To compare the class of an object to the intended class the getClass() method and the comparison operator "==" should be used to ensure the correct trusted class is used, as shown in the following example.

In this example, the Java class, TrustedClass, overrides the equals method of the parent class Object to determine equivalence of objects of the class. The overridden equals method first determines if the object, obj, is the same class as the TrustedClass object and then compares the object's fields to determine if the objects are equivalent.

Vulnerable example

java

public class TrustedClass {

Safe example

java

public boolean equals(Object obj) {

However, the equals method compares the class names of the object, obj, and the TrustedClass object to determine if they are the same class. As with the previous example using the name of the class to compare the class of objects can lead to the execution of unintended or incorrect code if the object passed to the equals method is of another class with the same name. To compare the class of an object to the intended class, the getClass() method and the comparison operator "==" should be used to ensure the correct trusted class is used, as shown in the following example.

CWE-486: Comparison of Classes by Name

Overview

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-486?

How do you prevent CWE-486?

How is CWE-486 detected?

What are the consequences of CWE-486?

References

Stay ahead of CWE-486

Overview

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Related weaknesses

Parent

Peer

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-486?

How do you prevent CWE-486?

How is CWE-486 detected?

What are the consequences of CWE-486?

References

Stay ahead of CWE-486