Comparing Classes by Name

From Guidance Share
Revision as of 04:34, 7 August 2007 by GardenTender (talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to navigationJump to search


The practice of determining an object’s type, based on its name, is dangerous since malicious code may purposely reuse class names in order to appear trusted.

Applies To

  • Languages: Java, .NET
  • Operating platforms: Any


The following code shows a trust decision based upon class name:

if (inputClass.getClass().getName().equals(“TrustedClassName”)) {
// Do something assuming you trust inputClass
// ... 


  • Authorization: If a program bases code trust on the name of the object, it may execute the wrong (potentially malicious) code.


  • Failure to use a strong mechanism for identifying classes or assemblies.


  • Implementation: If you are using Java, use class equivalency to determine type. Rather than use the class name to determine if an object is of a given type, use the getClass() method, and == operator.
  • Implementation: If you are using .NET, use strong names to identify a trusted class.

Vulnerability Patterns

How Tos