CWE - CWE-697: Insufficient Comparison (1.6)

Home > CWE List > CWE- Individual Dictionary Definition (1.6)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-697: Insufficient Comparison

Insufficient Comparison

Weakness ID: 697 (Weakness Class)

Status: Incomplete

Description

Description Summary

The software compares two entities in a security-relevant context, but the comparison is insufficient, which may lead to resultant weaknesses.

Extended Description

This weakness class covers several possibilities: (1) the comparison checks one factor incorrectly; (2) the comparison should consider multiple factors, but it does not check some of those factors at all.

Time of Introduction

Implementation

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Category	171	Cleansing, Canonicalization, and Comparison Errors	Development Concepts (primary)699
ChildOf	Category	747	CERT C Secure Coding Section 49 - Miscellaneous (MSC)	Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
ParentOf	Weakness Base	183	Permissive Whitelist	Research Concepts1000
ParentOf	Weakness Base	184	Incomplete Blacklist	Research Concepts1000
ParentOf	Weakness Class	185	Incorrect Regular Expression	Research Concepts (primary)1000
ParentOf	Weakness Base	187	Partial Comparison	Research Concepts (primary)1000
ParentOf	Weakness Base	372	Incomplete Internal State Distinction	Research Concepts (primary)1000
ParentOf	Weakness Variant	478	Missing Default Case in Switch Statement	Research Concepts (primary)1000
CanFollow	Weakness Variant	481	Assigning instead of Comparing	Research Concepts1000
ParentOf	Weakness Variant	486	Comparison of Classes by Name	Research Concepts (primary)1000
ParentOf	Weakness Base	595	Comparison of Object References Instead of Object Contents	Research Concepts (primary)1000
ParentOf	Weakness Base	596	Incorrect Semantic Object Comparison	Research Concepts (primary)1000
MemberOf	View	1000	Research Concepts	Research Concepts (primary)1000

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
CERT C Secure Coding	MSC31-C		Ensure that return values are compared against the proper type

Related Attack Patterns

CAPEC-ID	Attack Pattern Name	(CAPEC Version: 1.4)
3	Using Leading 'Ghost' Character Sequences to Bypass Input Filters
4	Using Alternative IP Address Encodings
7	Blind SQL Injection
8	Buffer Overflow in an API Call
9	Buffer Overflow in Local Command-Line Utilities
10	Buffer Overflow via Environment Variables
14	Client-side Injection-induced Buffer Overflow
15	Command Delimiters
24	Filter Failure through Buffer Overflow
92	Forced Integer Overflow
43	Exploiting Multiple Input Interpretation Layers
88	OS Command Injection
44	Overflow Binary Resource File
45	Buffer Overflow via Symbolic Links
46	Overflow Variables and Tags
47	Buffer Overflow via Parameter Expansion
52	Embedding NULL Bytes
53	Postfix, Null Terminate, and Backslash
64	Using Slashes and URL Encoding Combined to Bypass Validation Logic
66	SQL Injection
67	String Format Overflow in syslog()
73	User-Controlled Filename
78	Using Escaped Slashes in Alternate Encoding
79	Using Slashes in Alternate Encoding
6	Argument Injection
86	Embedding Script (XSS ) in HTTP Headers
32	Embedding Scripts in HTTP Query Strings
18	Embedding Scripts in Nonscript Elements
19	Embedding Scripts within Scripts
34	HTTP Response Splitting
63	Simple Script Injection
41	Using Meta-characters in E-mail Headers to Inject Malicious Payloads
71	Using Unicode Encoding to Bypass Validation Logic
80	Using UTF-8 Encoding to Bypass Validation Logic
91	XSS in IMG Tags

Content History

Modifications
Modification Date	Modifier	Organization	Source
2008-11-24	CWE Content Team	MITRE	Internal
2008-11-24	updated Relationships, Taxonomy Mappings
2009-03-10	CWE Content Team	MITRE	Internal
2009-03-10	updated Related Attack Patterns
2009-05-27	CWE Content Team	MITRE	Internal
2009-05-27	updated Description

Page Last Updated: October 29, 2009


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us