AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Lack Of Equals Implementation

The attacker may take advantage of possible wrong Equals comparison of two custom objects

Severity

Low

Fix Cost

Medium

Trust Level

High

Every class extends System.Object and inherits System.Object.Equals default implementation. System.Object.Equals compares two objects equality by checking if these two objects are the same instances. This comparison semantic might not be the intended equality check for custom classes’ instances.

            
var object1 = new CustomClass(“bob”, 34);
var object2 = new CustomClass(“bob”, 34);

if(object1.Equals(object2))
{
    // according to default Equals imp. Code never gets here
}
                 
            

Given the above code, if CustomClass doesn’t override the Equals method, the equality check will fail. However, the intended semantic might tell that they are equal because of the same first name and age.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!