Insufficient Comparison |
Weakness ID: 697 (Weakness Class) | Status: Incomplete |
Description Summary
The software compares two entities in a security-relevant context, but the comparison is insufficient, which may lead to resultant weaknesses.
Extended Description
This weakness class covers several possibilities: (1) the comparison checks one factor incorrectly; (2) the comparison should consider multiple factors, but it does not check some of those factors at all.
Ordinality | Description |
---|---|
Primary | (where the weakness exists independent of other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 171 | Cleansing, Canonicalization, and Comparison Errors | Development Concepts (primary)699 |
ChildOf | Category | 747 | CERT C Secure Coding Section 49 - Miscellaneous (MSC) | Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734 |
ParentOf | Weakness Base | 183 | Permissive Whitelist | Research Concepts1000 |
ParentOf | Weakness Base | 184 | Incomplete Blacklist | Research Concepts1000 |
ParentOf | Weakness Class | 185 | Incorrect Regular Expression | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 187 | Partial Comparison | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 372 | Incomplete Internal State Distinction | Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 478 | Missing Default Case in Switch Statement | Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 486 | Comparison of Classes by Name | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 595 | Comparison of Object References Instead of Object Contents | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 596 | Incorrect Semantic Object Comparison | Research Concepts (primary)1000 |
MemberOf | View | 1000 | Research Concepts | Research Concepts (primary)1000 |
CanFollow | Weakness Variant | 481 | Assigning instead of Comparing | Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
CERT C Secure Coding | MSC31-C | Ensure that return values are compared against the proper type |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
3 | Using Leading 'Ghost' Character Sequences to Bypass Input Filters | |
4 | Using Alternative IP Address Encodings | |
7 | Blind SQL Injection | |
8 | Buffer Overflow in an API Call | |
9 | Buffer Overflow in Local Command-Line Utilities | |
10 | Buffer Overflow via Environment Variables | |
14 | Client-side Injection-induced Buffer Overflow | |
15 | Command Delimiters | |
24 | Filter Failure through Buffer Overflow | |
92 | Forced Integer Overflow | |
43 | Exploiting Multiple Input Interpretation Layers | |
88 | OS Command Injection | |
44 | Overflow Binary Resource File | |
45 | Buffer Overflow via Symbolic Links | |
46 | Overflow Variables and Tags | |
47 | Buffer Overflow via Parameter Expansion | |
52 | Embedding NULL Bytes | |
53 | Postfix, Null Terminate, and Backslash | |
64 | Using Slashes and URL Encoding Combined to Bypass Validation Logic | |
66 | SQL Injection | |
67 | String Format Overflow in syslog() | |
73 | User-Controlled Filename | |
78 | Using Escaped Slashes in Alternate Encoding | |
79 | Using Slashes in Alternate Encoding | |
6 | Argument Injection | |
86 | Embedding Script (XSS ) in HTTP Headers | |
32 | Embedding Scripts in HTTP Query Strings | |
18 | Embedding Scripts in Nonscript Elements | |
19 | Embedding Scripts within Scripts | |
34 | HTTP Response Splitting | |
63 | Simple Script Injection | |
41 | Using Meta-characters in E-mail Headers to SecurityDatabase\Alert\Inject Malicious Payloads | |
71 | Using Unicode Encoding to Bypass Validation Logic | |
80 | Using UTF-8 Encoding to Bypass Validation Logic | |
91 | XSS in IMG Tags |