CWE-697: Incorrect Comparison

CWE-697: Incorrect Comparison | RadicalNotion.AI

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

Consider an application in which Truck objects are defined to be the same if they have the same make, the same model, and were manufactured in the same year.

Vulnerable example

java

public class Truck {

Here, the equals() method only checks the make and model of the Truck objects, but the year of manufacture is not included.

This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.

Vulnerable example

/* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */

Attack input

plaintext

CWE-697: Incorrect Comparison

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Attack patterns

Frequently asked questions

What is CWE-697?

What CVEs are caused by CWE-697?

How is CWE-697 detected?

What are the consequences of CWE-697?

Is CWE-697 actively exploited?

References

Stay ahead of CWE-697

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Child

Related

Attack patterns

Frequently asked questions

What is CWE-697?

What CVEs are caused by CWE-697?

How is CWE-697 detected?

What are the consequences of CWE-697?

Is CWE-697 actively exploited?

References

Stay ahead of CWE-697