Insufficient Comparison
Weakness ID: 697 (Weakness Class)Status: Incomplete
+ Description

Description Summary

The software compares two entities in a security-relevant context, but the comparison is insufficient, which may lead to resultant weaknesses.

Extended Description

This weakness class covers several possibilities: (1) the comparison checks one factor incorrectly; (2) the comparison should consider multiple factors, but it does not check some of those factors at all.

+ Time of Introduction
  • Implementation
+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory171Cleansing, Canonicalization, and Comparison Errors
Development Concepts (primary)699
ChildOfCategoryCategory747CERT C Secure Coding Section 49 - Miscellaneous (MSC)
Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
ParentOfWeakness BaseWeakness Base183Permissive Whitelist
Research Concepts1000
ParentOfWeakness BaseWeakness Base184Incomplete Blacklist
Research Concepts1000
ParentOfWeakness ClassWeakness Class185Incorrect Regular Expression
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base187Partial Comparison
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base372Incomplete Internal State Distinction
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant478Missing Default Case in Switch Statement
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant486Comparison of Classes by Name
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base595Comparison of Object References Instead of Object Contents
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base596Incorrect Semantic Object Comparison
Research Concepts (primary)1000
MemberOfViewView1000Research Concepts
Research Concepts (primary)1000
CanFollowWeakness VariantWeakness Variant481Assigning instead of Comparing
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CERT C Secure CodingMSC31-CEnsure that return values are compared against the proper type
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
3Using Leading 'Ghost' Character Sequences to Bypass Input Filters
4Using Alternative IP Address Encodings
7Blind SQL Injection
8Buffer Overflow in an API Call
9Buffer Overflow in Local Command-Line Utilities
10Buffer Overflow via Environment Variables
14Client-side Injection-induced Buffer Overflow
15Command Delimiters
24Filter Failure through Buffer Overflow
92Forced Integer Overflow
43Exploiting Multiple Input Interpretation Layers
88OS Command Injection
44Overflow Binary Resource File
45Buffer Overflow via Symbolic Links
46Overflow Variables and Tags
47Buffer Overflow via Parameter Expansion
52Embedding NULL Bytes
53Postfix, Null Terminate, and Backslash
64Using Slashes and URL Encoding Combined to Bypass Validation Logic
66SQL Injection
67String Format Overflow in syslog()
73User-Controlled Filename
78Using Escaped Slashes in Alternate Encoding
79Using Slashes in Alternate Encoding
6Argument Injection
86Embedding Script (XSS ) in HTTP Headers
32Embedding Scripts in HTTP Query Strings
18Embedding Scripts in Nonscript Elements
19Embedding Scripts within Scripts
34HTTP Response Splitting
63Simple Script Injection
41Using Meta-characters in E-mail Headers to Inject Malicious Payloads
71Using Unicode Encoding to Bypass Validation Logic
80Using UTF-8 Encoding to Bypass Validation Logic
91XSS in IMG Tags
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-11-24CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
2009-03-10CWE Content TeamMITREInternal
updated Related Attack Patterns
2009-05-27CWE Content TeamMITREInternal
updated Description