Exécuter une analyse statique (SAST) sur le code source à la recherche du motif non sécurisé dans le flux de données.
CWE-783 Base Brouillon
Operator Precedence Logic Error
This vulnerability occurs when a developer writes a conditional expression where the intended logic is broken due to misunderstanding or misapplying the rules of operator precedence.
Définition
What is CWE-783?
This vulnerability occurs when a developer writes a conditional expression where the intended logic is broken due to misunderstanding or misapplying the rules of operator precedence.
At its core, this is a programming mistake where the order in which operations are evaluated (like comparison before logical AND) doesn't match the developer's intent. For example, writing `if (x & 1 == 0)` might be intended to check if the least significant bit is zero, but due to precedence, it's actually evaluated as `if (x & (1 == 0))`, leading to an incorrect result.
While this can manifest as a simple bug in non-critical code, it becomes a serious security flaw when it appears in security-critical decision points. A common and dangerous example is within authentication or authorization logic, where a flawed expression could incorrectly grant access or bypass a security check entirely, directly compromising the application's security.
Impact réel
Real-world CVEs caused by CWE-783
-
Authentication module allows authentication bypass because it uses "(x = call(args) == SUCCESS)" instead of "((x = call(args)) == SUCCESS)".
-
Chain: Language interpreter calculates wrong buffer size (CWE-131) by using "size = ptr ? X : Y" instead of "size = (ptr ? X : Y)" expression.
-
Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.
Comment les attaquants l'exploitent
Parcours de l'attaquant étape par étape
- 1
In the following example, the method validateUser makes a call to another method to authenticate a username and password for a user and returns a success or failure code.
- 2
However, the method that authenticates the username and password is called within an if statement with incorrect operator precedence logic. Because the comparison operator "==" has a higher precedence than the assignment operator "=", the comparison operator will be evaluated first and if the method returns FAIL then the comparison will be true, the return variable will be set to true and SUCCESS will be returned. This operator precedence logic error can be easily resolved by properly using parentheses within the expression of the if statement, as shown below.
- 3
In this example, the method calculates the return on investment for an accounting/financial application. The return on investment is calculated by subtracting the initial investment costs from the current value and then dividing by the initial investment costs.
- 4
However, the return on investment calculation will not produce correct results because of the incorrect operator precedence logic in the equation. The divide operator has a higher precedence than the minus operator, therefore the equation will divide the initial investment costs by the initial investment costs which will only subtract one from the current value. Again this operator precedence logic error can be resolved by the correct use of parentheses within the equation, as shown below.
- 5
Note that the initialInvestment variable in this example should be validated to ensure that it is greater than zero to avoid a potential divide by zero error (CWE-369).
Exemple de code vulnérable
Vulnerable C
In the following example, the method validateUser makes a call to another method to authenticate a username and password for a user and returns a success or failure code.
#define FAIL 0
#define SUCCESS 1
...
int validateUser(char *username, char *password) {
int isUser = FAIL;
```
// call method to authenticate username and password*
*// if authentication fails then return failure otherwise return success*
if (isUser = AuthenticateUser(username, password) == FAIL) {
```
return isUser;
}
else {
isUser = SUCCESS;
}
return isUser;
} Exemple de code sécurisé
Secure C
However, the method that authenticates the username and password is called within an if statement with incorrect operator precedence logic. Because the comparison operator "==" has a higher precedence than the assignment operator "=", the comparison operator will be evaluated first and if the method returns FAIL then the comparison will be true, the return variable will be set to true and SUCCESS will be returned. This operator precedence logic error can be easily resolved by properly using parentheses within the expression of the if statement, as shown below.
...
if ((isUser = AuthenticateUser(username, password)) == FAIL) {
... What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention
How to prevent CWE-783
- Implementation Regularly wrap sub-expressions in parentheses, especially in security-critical code.
Signaux de détection
How to detect CWE-783
Exécuter des tests de sécurité applicative dynamique (DAST) contre le point de terminaison en ligne.
Surveiller les journaux runtime pour détecter des traces d'exception inhabituelles, des entrées malformées ou des tentatives de contournement d'autorisation.
Revue de code : signaler tout nouveau code qui traite les entrées de cette surface sans utiliser les helpers du framework validés.
Plexicus détecte automatiquement CWE-783 et ouvre une PR de correction en moins de 60 secondes.
Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.
Questions fréquentes Qu'est-ce que CWE-783 ?
Quelle est la gravité de CWE-783 ?
Quels langages ou plateformes sont affectés par CWE-783 ?
Comment puis-je prévenir CWE-783 ?
Comment Plexicus détecte et corrige CWE-783 ?
Où puis-je en savoir plus sur CWE-783 ?
Frequently asked questions
Qu'est-ce que CWE-783 ?
This vulnerability occurs when a developer writes a conditional expression where the intended logic is broken due to misunderstanding or misapplying the rules of operator precedence.
Quelle est la gravité de CWE-783 ?
MITRE évalue la probabilité d'exploitation comme Faible — l'exploitation est rare, mais la faiblesse doit tout de même être corrigée lorsqu'elle est découverte.
Quels langages ou plateformes sont affectés par CWE-783 ?
MITRE lists the following affected platforms: C, C++.
Comment puis-je prévenir CWE-783 ?
Regularly wrap sub-expressions in parentheses, especially in security-critical code.
Comment Plexicus détecte et corrige CWE-783 ?
Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-783 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.
Où puis-je en savoir plus sur CWE-783 ?
MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/783.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.
Faiblesses associées
Weaknesses related to CWE-783
CWE-670 Parent
Always-Incorrect Control Flow Implementation
This weakness occurs when a section of code is structured in a way that always executes incorrectly, regardless of input or conditions.…
CWE-480 Frère
Use of Incorrect Operator
This vulnerability occurs when a developer mistakenly uses the wrong operator in their code, leading to unintended and potentially…
CWE-483 Frère
Incorrect Block Delimitation
This vulnerability occurs when a developer fails to use explicit braces or delimiters to group multiple statements within a block, leading…
CWE-484 Frère
Omitted Break Statement in Switch
This vulnerability occurs when a developer forgets to include a 'break' statement inside a switch-case block. Without it, the code…
CWE-617 Frère
Reachable Assertion
A reachable assertion occurs when an attacker can trigger an assert() statement or similar debugging check, causing the application to…
CWE-698 Frère
Execution After Redirect (EAR)
Execution After Redirect (EAR) occurs when a web application sends a redirect response to a user's browser but continues to run…
Prêt quand vous l'êtes
Arrêtez de payer par développeur.
Commencez à fermer la boucle.
Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.