Corgea LogoCorgea Security Hub

CWE-682: Incorrect Calculation

Learn about CWE-682 (Incorrect Calculation), its security impact, exploitation methods, and prevention guidelines.

What is Incorrect Calculation?

• Overview: This vulnerability occurs when an application performs calculations incorrectly, leading to unintended or incorrect results, particularly in security-critical areas. These miscalculations can affect decisions related to security or resource management, potentially undermining the system’s integrity.

• Exploitation Methods:

  • Attackers can exploit this by manipulating inputs to trigger incorrect calculations that benefit them, such as gaining unauthorized access or resources.
  • Common attack patterns include input manipulation and exploiting logic errors to cause the application to misinterpret or mishandle critical data.

• Security Impact:

  • Direct consequences include incorrect resource allocation, privilege escalation, and failed security checks.
  • Potential cascading effects can lead to broken security mechanisms, data breaches, or arbitrary code execution.
  • Business impact can range from financial loss, reputational damage, to legal consequences due to compromised security.

• Prevention Guidelines:

  • Specific code-level fixes involve thorough input validation, accurate arithmetic operations, and using safe libraries for computations.
  • Security best practices include implementing robust error handling, conducting regular code reviews, and using defensive coding techniques.
  • Recommended tools and frameworks encompass static analysis tools for detecting calculation errors and using established cryptographic libraries for security-critical calculations.

Corgea can automatically detect and fix Incorrect Calculation in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: High

Affected Languages: Not Language-Specific

Affected Technologies: Not Technology-Specific

Vulnerable Code Example

function calculateTax(price, taxRate) {
    // Vulnerable calculation: Incorrectly computes tax
    // The calculation mistakenly uses subtraction instead of multiplication, leading to incorrect tax values
    // This error can result in financial discrepancies and potential legal issues
    return price - taxRate;  // Incorrect calculation
}

const price = 100;
const taxRate = 0.15;
console.log(`Tax for \$\${price}: \$\${calculateTax(price, taxRate)}`);

How to fix Incorrect Calculation?

The issue here is that the tax calculation uses subtraction instead of multiplication, which leads to incorrect tax amounts. This can affect revenue calculations and compliance with tax laws.

Fix Approach:

  1. Correct Mathematical Operations: Ensure that calculations use the correct arithmetic operations.
  2. Validation and Testing: Implement unit tests to validate that calculations produce expected results.
  3. Peer Reviews: Use peer reviews to catch arithmetic errors in the code.

Fixed Code Example

function calculateTax(price, taxRate) {
    // Fixed calculation: Correctly computes tax using multiplication
    // This ensures the tax amount is accurately calculated as a percentage of the price
    return price * taxRate;  // Corrected calculation
}

const price = 100;
const taxRate = 0.15;
console.log(`Tax for \$\${price}: \$\${calculateTax(price, taxRate)}`);

Additional Recommendations:

  • Unit Testing: Implement unit tests to verify that calculateTax returns expected results for a variety of inputs.
  • Code Reviews: Regularly perform code reviews to catch similar arithmetic errors.
  • Documentation: Clearly document the intended calculations and business logic to prevent misunderstandings.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-682: Incorrect Calculation and get remediation guidance

Start for free and no credit card needed.