Variant weakness

Draft

CWE-597: Use of Wrong Operator in String Comparison

The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead.

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Variant

Abstraction

MITRE classification

Overview

In Java, using == or != to compare two strings for equality actually compares two objects for equality rather than their string values for equality. Chances are good that the two references will never be equal. While this weakness often only affects program correctness, if the equality is used for a security decision, the unintended comparison result could be leveraged to affect program security.

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

In the example below, two Java String objects are declared and initialized with the same string values. An if statement is used to determine if the strings are equivalent.

Vulnerable example

java

String str1 = new String("Hello");

Safe example

java

if (str1.equals(str2)) {

However, the if statement will not be executed as the strings are compared using the "==" operator. For Java objects, such as String objects, the "==" operator compares object references, not object values. While the two String objects above contain the same string values, they refer to different object references, so the System.out.println statement will not be executed. To compare object values, the previous code could be modified to use the equals method:

In the example below, three JavaScript variables are declared and initialized with the same values. Note that JavaScript will change a value between numeric and string as needed, which is the reason an integer is included with the strings. An if statement is used to determine whether the values are the same.

However, the body of the if statement will not be executed, as the "===" compares both the type of the variable AND the value. As the types of the first comparison are number and string, it fails. The types in the second are int and reference, so this one fails as well. The types in the third are reference and string, so it also fails.

While the variables above contain the same values, they are contained in different types, so the document.getElementById... statement will not be executed in any of the cases.

To compare object values, the previous code is modified and shown below to use the "==" for value comparison so the comparison in this example executes the HTML statement:

In the example below, two PHP variables are declared and initialized with the same numbers - one as a string, the other as an integer. Note that PHP will change the string value to a number for a comparison. An if statement is used to determine whether the values are the same.

However, the body of the if statement will not be executed, as the "===" compares both the type of the variable AND the value. As the types of the first comparison are number and string, it fails.

While the variables above contain the same values, they are contained in different types, so the TRUE portion of the if statement will not be executed.

To compare object values, the previous code is modified and shown below to use the "==" for value comparison (string converted to number) so the comparison in this example executes the TRUE statement:

CWE-597: Use of Wrong Operator in String Comparison

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to detect it

Automated Static Analysis

Code examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-597?

What CVEs are caused by CWE-597?

How is CWE-597 detected?

What are the consequences of CWE-597?

Is CWE-597 actively exploited?

References

Stay ahead of CWE-597

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to detect it

Automated Static Analysis

Code examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-597?

What CVEs are caused by CWE-597?

How is CWE-597 detected?

What are the consequences of CWE-597?

Is CWE-597 actively exploited?

References

Stay ahead of CWE-597