Difference between revisions of "LII:Web Application Security Guide/Comparison issues"
Shawndouglas (talk | contribs) (Created as needed.) |
Shawndouglas (talk | contribs) m (Added further reading) |
||
| Line 1: | Line 1: | ||
{{TOC right}} | {{TOC right}} | ||
==Comparison issues== | ==Comparison issues== | ||
When comparing values, know the | When comparing values, know the behavior of your programming language. For example in PHP, "<code><nowiki>==</nowiki></code>" is a loose comparison that ignores the type and may give you unexpected behaviour. "<code><nowiki>===</nowiki></code>" is used for exact comparison. Using the wrong type of comparison can lead to security issues. | ||
===To prevent comparison issues=== | ===To prevent comparison issues=== | ||
* Know comparison types in your programming language and use the correct one | * Know comparison types in your programming language and use the correct one. | ||
* When in doubt (especially with PHP), use a strict comparison (PHP: "<code><nowiki>===</nowiki></code>") | * When in doubt (especially with PHP), use a strict comparison (PHP: "<code><nowiki>===</nowiki></code>"). | ||
* When comparing strings for equality, make sure you actually check that the strings are equal and not that one string contains the other | * When comparing strings for equality, make sure you actually check that the strings are equal and not that one string contains the other. | ||
===Rationale=== | ===Rationale=== | ||
| Line 14: | Line 14: | ||
Accidentally checking for strings being contained instead of checking for strings being equal can allow attackers to bypass e.g. whitelist checks. | Accidentally checking for strings being contained instead of checking for strings being equal can allow attackers to bypass e.g. whitelist checks. | ||
==Further reading== | |||
* [[wikipedia:Relational operator|Comparison (computer programming)]] | |||
==Notes== | ==Notes== | ||
The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Comparison_issues the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license. | The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Comparison_issues the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license. | ||
Latest revision as of 22:46, 10 August 2016
Comparison issues
When comparing values, know the behavior of your programming language. For example in PHP, "==" is a loose comparison that ignores the type and may give you unexpected behaviour. "===" is used for exact comparison. Using the wrong type of comparison can lead to security issues.
To prevent comparison issues
- Know comparison types in your programming language and use the correct one.
- When in doubt (especially with PHP), use a strict comparison (PHP: "
==="). - When comparing strings for equality, make sure you actually check that the strings are equal and not that one string contains the other.
Rationale
Using a too loose comparison can easily cause security issues. For example, in PHP, the following will evaluate to TRUE:
"a97e8342f0" == 0
The hex string, which could be a token or hash, is automatically parsed as an integer, and as it starts with a letter and thus cannot be parsed, the result is 0.
Accidentally checking for strings being contained instead of checking for strings being equal can allow attackers to bypass e.g. whitelist checks.
Further reading
Notes
The original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.
