Comparing Classes by Name

From Guidance Share

Jump to: navigation, search

Contents

Description

The practice of determining an object’s type, based on its name, is dangerous since malicious code may purposely reuse class names in order to appear trusted.


Applies To

  • Languages: Java, .NET
  • Operating platforms: Any


Example

The following code shows a trust decision based upon class name:

if (inputClass.getClass().getName().equals(“TrustedClassName”)) {
// Do something assuming you trust inputClass
// ... 
}


Impact

  • Authorization: If a program bases code trust on the name of the object, it may execute the wrong (potentially malicious) code.


Vulnerabilities

  • Failure to use a strong mechanism for identifying classes or assemblies.


Countermeasures

  • Implementation: If you are using Java, use class equivalency to determine type. Rather than use the class name to determine if an object is of a given type, use the getClass() method, and == operator.
  • Implementation: If you are using .NET, use strong names to identify a trusted class.


Vulnerability Patterns


How Tos

Personal tools