Incorrect Comparison
Incomplete Pillar
Structure: Simple
Description
This weakness occurs when a security-critical decision relies on a flawed comparison between two pieces of data. The incorrect logic can create a gap that attackers exploit to bypass checks or trigger unintended behavior.
Incorrect comparisons often happen because the check is too simplistic for the security context. For example, a developer might validate only one attribute when multiple factors should be considered, compare the wrong values entirely, or implement the comparison logic incorrectly (like using the wrong operator). This creates a mismatch between the intended security rule and what the code actually enforces. From a developer's perspective, this flaw is a logic bug in a security gate. It's not about missing a check, but about writing a check that doesn't work as intended. To prevent it, carefully review any comparison used for authentication, authorization, input validation, or state change decisions. Ensure it evaluates all necessary conditions with precise logic and test it with both valid and malicious edge cases.
Common Consequences 1
Scope: Other
Impact: Varies by Context
Demonstrative Examples 2
ID : DX-115
Consider an application in which Truck objects are defined to be the same if they have the same make, the same model, and were manufactured in the same year.Code Example:
Bad
Java
javaHere, the equals() method only checks the make and model of the Truck objects, but the year of manufacture is not included.
ID : DX-116
This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.Code Example:
Bad
C
/* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. /
cIn AuthenticateUser(), the strncmp() call uses the string length of an attacker-provided inPass parameter in order to determine how many characters to check in the password. So, if the attacker only provides a password of length 1, the check will only examine the first byte of the application's password before determining success.
As a result, this partial comparison leads to improper authentication (Improper Authentication).
Any of these passwords would still cause authentication to succeed for the "admin" user:
Code Example:
Attack
bashThis significantly reduces the search space for an attacker, making brute force attacks more feasible.
The same problem also applies to the username, so values such as "a" and "adm" will succeed for the username.
While this demonstrative example may not seem realistic, see the Observed Examples for CVE entries that effectively reflect this same weakness.
Observed Examples 3
CVE-2021-3116Chain: Python-based HTTP Proxy server uses the wrong boolean operators (Use of Incorrect Operator) causing an incorrect comparison (Incorrect Comparison) that identifies an authN failure if all three conditions are met instead of only one, allowing bypass of the proxy authentication (Weak Authentication)
CVE-2020-15811Chain: Proxy uses a substring search instead of parsing the Transfer-Encoding header (Incorrect Comparison), allowing request splitting (Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')) and cache poisoning
CVE-2016-10003Proxy performs incorrect comparison of request headers, leading to infoleak
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
Not Technology-Specific : Undetermined
Modes of Introduction
Implementation
Related Attack Patterns
- 3DEPRECATED: Technology-specific Environment Issues
- 6J2EE Misconfiguration: Insufficient Session-ID Length
- 7J2EE Misconfiguration: Missing Custom Error Page
- 8J2EE Misconfiguration: Entity Bean Declared Remote
- 9J2EE Misconfiguration: Weak Access Permissions for EJB Methods
- 10DEPRECATED: ASP.NET Environment Issues
- 14Compiler Removal of Code to Clear Buffers
- 15External Control of System or Configuration Setting
- 24Path Traversal: '../filedir'
- 41Improper Resolution of Path Equivalence
- 43Path Equivalence: 'filename....' (Multiple Trailing Dot)
- 44Path Equivalence: 'file.name' (Internal Dot)
- 45Path Equivalence: 'file...name' (Multiple Internal Dot)
- 46Path Equivalence: 'filename ' (Trailing Space)
- 47Path Equivalence: ' filename' (Leading Space)
- 52Path Equivalence: '/multiple/trailing/slash//'
- 53Path Equivalence: '\multiple\\internal\backslash'
- 64Windows Shortcut Following (.LNK)
- 67Improper Handling of Windows Device Names
- 71DEPRECATED: Apple '.DS_Store'
- 73External Control of File Name or Path
- 78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- 79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- 80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
- 88Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
- 92DEPRECATED: Improper Sanitization of Custom Special Characters
- 120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- 182Collapse of Data into Unsafe Value
- 267Privilege Defined With Unsafe Actions
Notes
Research Gap
Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.
MaintenanceThis entry likely has some relationships with case sensitivity (Improper Handling of Case Sensitivity), but case sensitivity is a factor in other types of weaknesses besides comparison. Also, in cryptography, certain attacks are possible when certain comparison operations do not take place in constant time, causing a timing-related information leak (Observable Timing Discrepancy).