Description
The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead.
In Java, using == or != to compare two strings for equality actually compares two objects for equality rather than their string values for equality. Chances are good that the two references will never be equal. While this weakness often only affects program correctness, if the equality is used for a security decision, the unintended comparison result could be leveraged to affect program security.
Potential Impact
Other
Other
Demonstrative Examples
String str1 = new String("Hello");String str2 = new String("Hello");if (str1 == str2) {System.out.println("str1 == str2");}if (str1.equals(str2)) {System.out.println("str1 equals str2");}<p id="ieq3s1" type="text">(i === s1) is FALSE</p>
<p id="s4eq3i" type="text">(s4 === i) is FALSE</p>
<p id="s4eq3s1" type="text">(s4 === s1) is FALSE</p>
var i = 65;
var s1 = '65';
var s4 = new String('65');
if (i === s1)
{
document.getElementById("ieq3s1").innerHTML = "(i === s1) is TRUE";
}
if (s4 === i)
{
document.getElementById("s4eq3i").innerHTML = "(s4 === i) is TRUE";
}
if (s4 === s1)
{
document.getElementById("s4eq3s1").innerHTML = "(s4 === s1) is TRUE";
}<p id="ieq2s1" type="text">(i == s1) is FALSE</p>
<p id="s4eq2i" type="text">(s4 == i) is FALSE</p>
<p id="s4eq2s1" type="text">(s4 == s1) is FALSE</p>
var i = 65;
var s1 = '65';
var s4 = new String('65');
if (i == s1)
{
document.getElementById("ieq2s1").innerHTML = "(i == s1) is TRUE";
}
if (s4 == i)
{
document.getElementById("s4eq2i").innerHTML = "(s4 == i) is TRUE";
}
if (s4 == s1)
{
document.getElementById("s4eq2s1").innerHTML = "(s4 == s1) is TRUE";
}var $i = 65;
var $s1 = "65";
if ($i === $s1)
{
echo '($i === $s1) is TRUE'. "\n";
}
else
{
echo '($i === $s1) is FALSE'. "\n";
}var $i = 65;
var $s1 = "65";
if ($i == $s1)
{
echo '($i == $s1) is TRUE'. "\n";
}
else
{
echo '($i == $s1) is FALSE'. "\n";
}Mitigations & Prevention
Within Java, use .equals() to compare string values. Within JavaScript, use == to compare string values. Within PHP, use == to compare a numeric value to a string value. (PHP converts the string to a number.)
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Related Weaknesses
Taxonomy Mappings
- The CERT Oracle Secure Coding Standard for Java (2011): EXP03-J — Do not use the equality operators when comparing values of boxed primitives
- The CERT Oracle Secure Coding Standard for Java (2011): EXP03-J — Do not use the equality operators when comparing values of boxed primitives
- SEI CERT Perl Coding Standard: EXP35-PL — Use the correct operator type for comparing values
- Software Fault Patterns: SFP1 — Glitch in computation
Frequently Asked Questions
What is CWE-597?
CWE-597 (Use of Wrong Operator in String Comparison) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead.
How can CWE-597 be exploited?
Attackers can exploit CWE-597 (Use of Wrong Operator in String Comparison) to other. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-597?
Key mitigations include: Within Java, use .equals() to compare string values. Within JavaScript, use == to compare string values. Within PHP, use == to compare a numeric value to a string value
What is the severity of CWE-597?
CWE-597 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.