Ejecuta análisis estático (SAST) sobre el código buscando el patrón inseguro en el flujo de datos.
CWE-783 Base Borrador
Operator Precedence Logic Error
This vulnerability occurs when a developer writes a conditional expression where the intended logic is broken due to misunderstanding or misapplying the rules of operator precedence.
Definición
What is CWE-783?
This vulnerability occurs when a developer writes a conditional expression where the intended logic is broken due to misunderstanding or misapplying the rules of operator precedence.
At its core, this is a programming mistake where the order in which operations are evaluated (like comparison before logical AND) doesn't match the developer's intent. For example, writing `if (x & 1 == 0)` might be intended to check if the least significant bit is zero, but due to precedence, it's actually evaluated as `if (x & (1 == 0))`, leading to an incorrect result.
While this can manifest as a simple bug in non-critical code, it becomes a serious security flaw when it appears in security-critical decision points. A common and dangerous example is within authentication or authorization logic, where a flawed expression could incorrectly grant access or bypass a security check entirely, directly compromising the application's security.
Impacto en el mundo real
Real-world CVEs caused by CWE-783
-
Authentication module allows authentication bypass because it uses "(x = call(args) == SUCCESS)" instead of "((x = call(args)) == SUCCESS)".
-
Chain: Language interpreter calculates wrong buffer size (CWE-131) by using "size = ptr ? X : Y" instead of "size = (ptr ? X : Y)" expression.
-
Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.
Cómo lo explotan los atacantes
Ruta del atacante paso a paso
- 1
In the following example, the method validateUser makes a call to another method to authenticate a username and password for a user and returns a success or failure code.
- 2
However, the method that authenticates the username and password is called within an if statement with incorrect operator precedence logic. Because the comparison operator "==" has a higher precedence than the assignment operator "=", the comparison operator will be evaluated first and if the method returns FAIL then the comparison will be true, the return variable will be set to true and SUCCESS will be returned. This operator precedence logic error can be easily resolved by properly using parentheses within the expression of the if statement, as shown below.
- 3
In this example, the method calculates the return on investment for an accounting/financial application. The return on investment is calculated by subtracting the initial investment costs from the current value and then dividing by the initial investment costs.
- 4
However, the return on investment calculation will not produce correct results because of the incorrect operator precedence logic in the equation. The divide operator has a higher precedence than the minus operator, therefore the equation will divide the initial investment costs by the initial investment costs which will only subtract one from the current value. Again this operator precedence logic error can be resolved by the correct use of parentheses within the equation, as shown below.
- 5
Note that the initialInvestment variable in this example should be validated to ensure that it is greater than zero to avoid a potential divide by zero error (CWE-369).
Ejemplo de código vulnerable
Vulnerable C
In the following example, the method validateUser makes a call to another method to authenticate a username and password for a user and returns a success or failure code.
#define FAIL 0
#define SUCCESS 1
...
int validateUser(char *username, char *password) {
int isUser = FAIL;
```
// call method to authenticate username and password*
*// if authentication fails then return failure otherwise return success*
if (isUser = AuthenticateUser(username, password) == FAIL) {
```
return isUser;
}
else {
isUser = SUCCESS;
}
return isUser;
} Ejemplo de código seguro
Secure C
However, the method that authenticates the username and password is called within an if statement with incorrect operator precedence logic. Because the comparison operator "==" has a higher precedence than the assignment operator "=", the comparison operator will be evaluated first and if the method returns FAIL then the comparison will be true, the return variable will be set to true and SUCCESS will be returned. This operator precedence logic error can be easily resolved by properly using parentheses within the expression of the if statement, as shown below.
...
if ((isUser = AuthenticateUser(username, password)) == FAIL) {
... What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención
How to prevent CWE-783
- Implementation Regularly wrap sub-expressions in parentheses, especially in security-critical code.
Señales de detección
How to detect CWE-783
Ejecuta pruebas dinámicas de seguridad de aplicaciones (DAST) contra el endpoint en vivo.
Vigila los logs en tiempo de ejecución para detectar trazas de excepción inusuales, entradas malformadas o intentos de bypass de autorización.
Revisión de código: marca cualquier código nuevo que maneje entrada desde esta superficie sin usar los helpers validados del framework.
Plexicus detecta automáticamente CWE-783 y abre un PR de corrección en menos de 60 segundos.
Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.
Preguntas frecuentes ¿Qué es CWE-783?
¿Qué gravedad tiene CWE-783?
¿Qué lenguajes o plataformas se ven afectados por CWE-783?
¿Cómo puedo prevenir CWE-783?
¿Cómo detecta y corrige Plexicus CWE-783?
¿Dónde puedo aprender más sobre CWE-783?
Frequently asked questions
¿Qué es CWE-783?
This vulnerability occurs when a developer writes a conditional expression where the intended logic is broken due to misunderstanding or misapplying the rules of operator precedence.
¿Qué gravedad tiene CWE-783?
MITRE califica la probabilidad de explotación como Baja — la explotación es poco frecuente, pero la debilidad debe corregirse cuando se descubra.
¿Qué lenguajes o plataformas se ven afectados por CWE-783?
MITRE lists the following affected platforms: C, C++.
¿Cómo puedo prevenir CWE-783?
Regularly wrap sub-expressions in parentheses, especially in security-critical code.
¿Cómo detecta y corrige Plexicus CWE-783?
El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-783 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.
¿Dónde puedo aprender más sobre CWE-783?
MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/783.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.
Debilidades relacionadas
Weaknesses related to CWE-783
CWE-670 Padre
Always-Incorrect Control Flow Implementation
This weakness occurs when a section of code is structured in a way that always executes incorrectly, regardless of input or conditions.…
CWE-480 Hermano
Use of Incorrect Operator
This vulnerability occurs when a developer mistakenly uses the wrong operator in their code, leading to unintended and potentially…
CWE-483 Hermano
Incorrect Block Delimitation
This vulnerability occurs when a developer fails to use explicit braces or delimiters to group multiple statements within a block, leading…
CWE-484 Hermano
Omitted Break Statement in Switch
This vulnerability occurs when a developer forgets to include a 'break' statement inside a switch-case block. Without it, the code…
CWE-617 Hermano
Reachable Assertion
A reachable assertion occurs when an attacker can trigger an assert() statement or similar debugging check, causing the application to…
CWE-698 Hermano
Execution After Redirect (EAR)
Execution After Redirect (EAR) occurs when a web application sends a redirect response to a user's browser but continues to run…
Listo cuando tú lo estés
Deja de pagar por desarrollador.
Empieza a cerrar el bucle.
Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.