CWE-486

Comparison of Classes by Name

Variant

Draft

Description

The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.

If the decision to trust the methods and data of an object is based on the name of a class, it is possible for malicious users to send objects of the same name as trusted classes and thereby gain the trust afforded to known classes and types.

Parent Weaknesses (ChildOf)

CWE-1025: Comparison Using Wrong Factors...

Common Consequences

Scope

Integrity

Confidentiality

Availability

Impact

Execute Unauthorized Code or Commands

Potential Mitigations

Implementation

Use class equivalency to determine type. Rather than use the class name to determine if an object is of a given type, use the getClass() method, and == operator.

Applicable Platforms

Java

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now