AttackFlow Findings Dictionary

Lack Of Equals Implementation

The attacker may take advantage of possible wrong Equals comparison of two custom objects



Fix Cost


Trust Level


Every class extends System.Object and inherits System.Object.Equals default implementation. System.Object.Equals compares two objects equality by checking if these two objects are the same instances. This comparison semantic might not be the intended equality check for custom classes’ instances.

var object1 = new CustomClass(“bob”, 34);
var object2 = new CustomClass(“bob”, 34);

    // according to default Equals imp. Code never gets here

Given the above code, if CustomClass doesn’t override the Equals method, the equality check will fail. However, the intended semantic might tell that they are equal because of the same first name and age.

