CWE-187Partial String Comparison

Description

The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.

For example, an attacker might succeed in authentication by providing a small password that matches the associated portion of the larger, correct password.

Common consequences

• Integrity,Access Control→Alter Execution Logic,Bypass Protection Mechanism

Potential mitigations

• Testing
  Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.

Related CWEs

Recent CVEs classified under this CWE