CWE-187: Partial String Comparison
Learn about CWE-187 (Partial String Comparison), its security impact, exploitation methods, and prevention guidelines.
What is Partial String Comparison?
• Overview: Partial String Comparison (CWE-187) is a vulnerability where software incorrectly determines a match by only comparing part of a string or factor, such as using a substring. This can lead to incorrect validations or authorizations.
• Exploitation Methods:
- Attackers can exploit this vulnerability by providing input that matches only the portion of a string being compared, such as a short password that matches the beginning of a longer correct password.
- Common attack patterns include using truncated inputs or deliberately crafted strings to trigger false positive matches.
• Security Impact:
- Direct consequences include unauthorized access or actions if authentication or validation processes are bypassed.
- Potential cascading effects may include further breaches into other systems or data leakage due to improper validation.
- Business impact can involve data breaches, loss of customer trust, and financial penalties due to non-compliance with security standards.
• Prevention Guidelines:
- Specific code-level fixes include ensuring full string comparisons and validating entire inputs rather than substrings.
- Security best practices involve rigorous input validation and comprehensive testing to identify partial matches.
- Recommended tools and frameworks may include static analysis tools that detect improper string comparisons and secure coding libraries that enforce complete validation.
Corgea can automatically detect and fix Partial String Comparison in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
function isAuthorized(userInput, secretKey) {
// Vulnerable: Partial string comparison allows unauthorized access
// if userInput matches the start of the secretKey.
if (secretKey.indexOf(userInput) === 0) {
return true;
}
return false;
}
// Example usage
const userInput = "pass"; // Partial guessing
const secretKey = "password123";
console.log(isAuthorized(userInput, secretKey)); // Returns true, even if input is only part of secretKey
Explanation
In the vulnerable code example, the function isAuthorized checks if userInput is a prefix of secretKey using indexOf. This means that if userInput is the beginning part of secretKey, the function will return true, allowing unauthorized access.
How to fix Partial String Comparison?
To fix this vulnerability, you should ensure that the comparison checks for full equality between userInput and secretKey. This can be achieved by using strict equality comparison (===), which ensures that the entire strings match exactly.
Fixed Code Example
function isAuthorized(userInput, secretKey) {
// Fixed: Use full string comparison to ensure userInput
// matches secretKey exactly, preventing unauthorized access.
if (userInput === secretKey) {
return true;
}
return false;
}
// Example usage
const userInput = "pass"; // Does not match the entire secretKey
const secretKey = "password123";
console.log(isAuthorized(userInput, secretKey)); // Returns false, since the input does not match the full secretKey
Explanation
In the fixed code example, the function isAuthorized now uses strict equality (===) to compare userInput and secretKey. This ensures that only when userInput is exactly the same as secretKey, the function returns true. This prevents unauthorized access by eliminating the possibility of partial string matches.