Executar análise estática (SAST) na base de código à procura do padrão inseguro no fluxo de dados.
CWE-783 Base Rascunho
Operator Precedence Logic Error
This vulnerability occurs when a developer writes a conditional expression where the intended logic is broken due to misunderstanding or misapplying the rules of operator precedence.
Definição
What is CWE-783?
This vulnerability occurs when a developer writes a conditional expression where the intended logic is broken due to misunderstanding or misapplying the rules of operator precedence.
At its core, this is a programming mistake where the order in which operations are evaluated (like comparison before logical AND) doesn't match the developer's intent. For example, writing `if (x & 1 == 0)` might be intended to check if the least significant bit is zero, but due to precedence, it's actually evaluated as `if (x & (1 == 0))`, leading to an incorrect result.
While this can manifest as a simple bug in non-critical code, it becomes a serious security flaw when it appears in security-critical decision points. A common and dangerous example is within authentication or authorization logic, where a flawed expression could incorrectly grant access or bypass a security check entirely, directly compromising the application's security.
Impacto no mundo real
Real-world CVEs caused by CWE-783
-
Authentication module allows authentication bypass because it uses "(x = call(args) == SUCCESS)" instead of "((x = call(args)) == SUCCESS)".
-
Chain: Language interpreter calculates wrong buffer size (CWE-131) by using "size = ptr ? X : Y" instead of "size = (ptr ? X : Y)" expression.
-
Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.
Como os atacantes a exploram
Trajeto do atacante passo a passo
- 1
In the following example, the method validateUser makes a call to another method to authenticate a username and password for a user and returns a success or failure code.
- 2
However, the method that authenticates the username and password is called within an if statement with incorrect operator precedence logic. Because the comparison operator "==" has a higher precedence than the assignment operator "=", the comparison operator will be evaluated first and if the method returns FAIL then the comparison will be true, the return variable will be set to true and SUCCESS will be returned. This operator precedence logic error can be easily resolved by properly using parentheses within the expression of the if statement, as shown below.
- 3
In this example, the method calculates the return on investment for an accounting/financial application. The return on investment is calculated by subtracting the initial investment costs from the current value and then dividing by the initial investment costs.
- 4
However, the return on investment calculation will not produce correct results because of the incorrect operator precedence logic in the equation. The divide operator has a higher precedence than the minus operator, therefore the equation will divide the initial investment costs by the initial investment costs which will only subtract one from the current value. Again this operator precedence logic error can be resolved by the correct use of parentheses within the equation, as shown below.
- 5
Note that the initialInvestment variable in this example should be validated to ensure that it is greater than zero to avoid a potential divide by zero error (CWE-369).
Exemplo de código vulnerável
Vulnerable C
In the following example, the method validateUser makes a call to another method to authenticate a username and password for a user and returns a success or failure code.
#define FAIL 0
#define SUCCESS 1
...
int validateUser(char *username, char *password) {
int isUser = FAIL;
```
// call method to authenticate username and password*
*// if authentication fails then return failure otherwise return success*
if (isUser = AuthenticateUser(username, password) == FAIL) {
```
return isUser;
}
else {
isUser = SUCCESS;
}
return isUser;
} Exemplo de código seguro
Secure C
However, the method that authenticates the username and password is called within an if statement with incorrect operator precedence logic. Because the comparison operator "==" has a higher precedence than the assignment operator "=", the comparison operator will be evaluated first and if the method returns FAIL then the comparison will be true, the return variable will be set to true and SUCCESS will be returned. This operator precedence logic error can be easily resolved by properly using parentheses within the expression of the if statement, as shown below.
...
if ((isUser = AuthenticateUser(username, password)) == FAIL) {
... What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção
How to prevent CWE-783
- Implementation Regularly wrap sub-expressions in parentheses, especially in security-critical code.
Sinais de deteção
How to detect CWE-783
Executar testes dinâmicos de segurança de aplicações (DAST) contra o endpoint em execução.
Monitorizar os registos em tempo de execução para traços de exceção invulgares, input malformado ou tentativas de contornar a autorização.
Revisão de código: sinalizar qualquer novo código que trate input desta superfície sem usar os ajudantes validados do framework.
O Plexicus deteta automaticamente o CWE-783 e abre um PR de correção em menos de 60 segundos.
O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.
Perguntas frequentes O que é o CWE-783?
Qual a gravidade do CWE-783?
Que linguagens ou plataformas são afetadas pelo CWE-783?
Como posso prevenir o CWE-783?
Como é que o Plexicus deteta e corrige o CWE-783?
Onde posso saber mais sobre o CWE-783?
Frequently asked questions
O que é o CWE-783?
This vulnerability occurs when a developer writes a conditional expression where the intended logic is broken due to misunderstanding or misapplying the rules of operator precedence.
Qual a gravidade do CWE-783?
A MITRE classifica a probabilidade de exploração como Baixa — a exploração é pouco comum, mas a fraqueza deve mesmo assim ser corrigida quando descoberta.
Que linguagens ou plataformas são afetadas pelo CWE-783?
MITRE lists the following affected platforms: C, C++.
Como posso prevenir o CWE-783?
Regularly wrap sub-expressions in parentheses, especially in security-critical code.
Como é que o Plexicus deteta e corrige o CWE-783?
O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-783 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.
Onde posso saber mais sobre o CWE-783?
A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/783.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.
Fraquezas relacionadas
Weaknesses related to CWE-783
CWE-670 Pai
Always-Incorrect Control Flow Implementation
This weakness occurs when a section of code is structured in a way that always executes incorrectly, regardless of input or conditions.…
CWE-480 Irmão
Use of Incorrect Operator
This vulnerability occurs when a developer mistakenly uses the wrong operator in their code, leading to unintended and potentially…
CWE-483 Irmão
Incorrect Block Delimitation
This vulnerability occurs when a developer fails to use explicit braces or delimiters to group multiple statements within a block, leading…
CWE-484 Irmão
Omitted Break Statement in Switch
This vulnerability occurs when a developer forgets to include a 'break' statement inside a switch-case block. Without it, the code…
CWE-617 Irmão
Reachable Assertion
A reachable assertion occurs when an attacker can trigger an assert() statement or similar debugging check, causing the application to…
CWE-698 Irmão
Execution After Redirect (EAR)
Execution After Redirect (EAR) occurs when a web application sends a redirect response to a user's browser but continues to run…
Pronto quando você estiver
Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.
O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.