1. Home
  2. CWE Database
  3. CWE-1025
Base · Medium

CWE-1025: Comparison Using Wrong Factors

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.

CWE-1025 · Base Level

Description

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.

Potential Impact

Other

Varies by Context

Demonstrative Examples

In the example below, two Java String objects are declared and initialized with the same string values. An if statement is used to determine if the strings are equivalent.
Bad
String str1 = new String("Hello");String str2 = new String("Hello");if (str1 == str2) {System.out.println("str1 == str2");}
However, the if statement will not be executed as the strings are compared using the "==" operator. For Java objects, such as String objects, the "==" operator compares object references, not object values. While the two String objects above contain the same string values, they refer to different object references, so the System.out.println statement will not be executed. To compare object values, the previous code could be modified to use the equals method:
Good
if (str1.equals(str2)) {System.out.println("str1 equals str2");}

Detection Methods

  • Manual Static Analysis — Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.

CWE-697: Incorrect Comparison

The product compares two entities in a security-relevant context, but the comparison is incorrect.

Frequently Asked Questions

What is CWE-1025?

CWE-1025 (Comparison Using Wrong Factors) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.

How can CWE-1025 be exploited?

Attackers can exploit CWE-1025 (Comparison Using Wrong Factors) to varies by context. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-1025?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-1025?

CWE-1025 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.