Comparing Classes by Name

From Guidance Share

Jump to: navigation, search



The practice of determining an object’s type, based on its name, is dangerous since malicious code may purposely reuse class names in order to appear trusted.

Applies To

  • Languages: Java, .NET
  • Operating platforms: Any


The following code shows a trust decision based upon class name:

if (inputClass.getClass().getName().equals(“TrustedClassName”)) {
// Do something assuming you trust inputClass
// ... 


  • Authorization: If a program bases code trust on the name of the object, it may execute the wrong (potentially malicious) code.


  • Failure to use a strong mechanism for identifying classes or assemblies.


  • Implementation: If you are using Java, use class equivalency to determine type. Rather than use the class name to determine if an object is of a given type, use the getClass() method, and == operator.
  • Implementation: If you are using .NET, use strong names to identify a trusted class.

Vulnerability Patterns

How Tos

Personal tools