This error appears when the program attempts to compare two objects' classnames to see whether they are the same. It can also appear if an object has a certain class using other means than a currently loaded class or via the classloader itself.

Vulnerability and risk

When comparing classes by name, you allow for mix-and-match attacks, where an attacker constructs new code that links some of your code together with malicious classes or links two classes together that were not meant to be together.

Mitigation and prevention

Do not use an object's equals method to find classnames. Instead, retrieve the first object's class with getClass method, then retrieve the second object's class by means of the current classloader.

Example 1

10    public void privateMethod(Object object1, Object object2) {
11      if (object1.getClass().getName().equals("anotherClass")) {// wrong
12        // do work based on the assumption we're dealing with
13        // the right object
14      }
15      if (object1.getClass() == object2.getClass()) { // correct
16        // do work based on the fact that the objects are the
17        // of the same class
18      }
19    }

CMP.CLASS is reported for line 11: Comparing by classname.

Security training

Application security training materials provided by Secure Code Warrior.