LII:Web Application Security Guide/Comparison issues

From LIMSWiki
Revision as of 22:46, 10 August 2016 by Shawndouglas (talk | contribs) (Added further reading)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Comparison issues

When comparing values, know the behavior of your programming language. For example in PHP, "==" is a loose comparison that ignores the type and may give you unexpected behaviour. "===" is used for exact comparison. Using the wrong type of comparison can lead to security issues.

To prevent comparison issues

  • Know comparison types in your programming language and use the correct one.
  • When in doubt (especially with PHP), use a strict comparison (PHP: "===").
  • When comparing strings for equality, make sure you actually check that the strings are equal and not that one string contains the other.

Rationale

Using a too loose comparison can easily cause security issues. For example, in PHP, the following will evaluate to TRUE:

 "a97e8342f0" == 0

The hex string, which could be a token or hash, is automatically parsed as an integer, and as it starts with a letter and thus cannot be parsed, the result is 0.

Accidentally checking for strings being contained instead of checking for strings being equal can allow attackers to bypass e.g. whitelist checks.

Further reading

Notes

The original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.