CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.6)  

Presentation Filter:

CWE-184: Incomplete Blacklist

 
Incomplete Blacklist
Weakness ID: 184 (Weakness Base)Status: Draft
+ Description

Description Summary

An application uses a "blacklist" of prohibited values, but the blacklist is incomplete.

Extended Description

If an incomplete blacklist is used as a security mechanism, then the software may allow unintended values to pass into the application logic.

+ Time of Introduction
  • Implementation
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Access Control

Technical Impact: Bypass protection mechanism

+ Detection Methods

Black Box

Exploitation of incomplete blacklist weaknesses using the obvious manipulations might fail, but minor variations might succeed.

+ Demonstrative Examples

Example 1

In the following example, an XSS neutralization routine (blacklist) only checks for the lower-case "script" string, which can be easily defeated.

(Bad Code)
Example Language: Java 
public String removeScriptTags(String input, String mask) {
return input.replaceAll("script", mask);
}
+ Observed Examples
ReferenceDescription
CVE-2005-2782PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp".
CVE-2004-0542Programming language does not filter certain shell metacharacters in Windows environment.
CVE-2004-0595XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse.
CVE-2005-3287Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited.
CVE-2004-2351Resultant XSS from incomplete blacklist (only <script> and <style> are checked).
CVE-2005-2959Privileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error.
CVE-2005-1824SQL injection protection scheme does not quote the "\" special character.
CVE-2005-2184Incomplete blacklist prevents user from automatically executing .EXE files, but allows .LNK, allowing resultant Windows symbolic link.
CVE-2007-1343product doesn't protect one dangerous variable against external modification
CVE-2007-5727Chain: only removes SCRIPT tags, enabling XSS
CVE-2006-4308Chain: only checks "javascript:" tag
CVE-2007-3572Chain: incomplete blacklist for OS command injection
CVE-2002-0661"\" not in blacklist for web server, allowing path traversal attacks when the server is run in Windows and other OSes.
+ Potential Mitigations

Phase: Implementation

Strategy: Input Validation

Combine use of black list with appropriate use of white lists.

Phase: Implementation

Strategy: Input Validation

Do not rely exclusively on blacklist validation to detect malicious input or to encode output. There are too many variants to encode a character; you're likely to miss some variants.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)Named Chain(s) this relationship pertains toChain(s)
ChildOfCategoryCategory171Cleansing, Canonicalization, and Comparison Errors
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class693Protection Mechanism Failure
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class697Insufficient Comparison
Research Concepts1000
ChildOfCategoryCategory896SFP Cluster: Tainted Input
Software Fault Pattern (SFP) Clusters (primary)888
CanPrecedeWeakness BaseWeakness Base78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Research Concepts1000
CanPrecedeWeakness BaseWeakness Base79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Research Concepts1000
Incomplete Blacklist to Cross-Site Scripting692
CanPrecedeWeakness BaseWeakness Base98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Research Concepts1000
CanPrecedeWeakness BaseWeakness Base434Unrestricted Upload of File with Dangerous Type
Research Concepts1000
StartsChainCompound Element: ChainCompound Element: Chain692Incomplete Blacklist to Cross-Site Scripting
Named Chains709
Incomplete Blacklist to Cross-Site Scripting692
PeerOfWeakness VariantWeakness Variant86Improper Neutralization of Invalid Characters in Identifiers in Web Pages
Research Concepts1000
PeerOfWeakness BaseWeakness Base625Permissive Regular Expression
Research Concepts1000
CanAlsoBeWeakness BaseWeakness Base186Overly Restrictive Regular Expression
Research Concepts1000
+ Relationship Notes

An incomplete blacklist frequently produces resultant weaknesses.

Some incomplete blacklist issues might arise from multiple interpretation errors, e.g. a blacklist for dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a blacklist for XSS manipulations might ignore an unusual construct that's supported by one web browser, but not others.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERIncomplete Blacklist
+ References
G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
S. Christey. "Blacklist defenses as a breeding ground for vulnerability variants". February 2006. <http://seclists.org/fulldisclosure/2006/Feb/0040.html>.
[REF-7] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 8, "Eliminating Metacharacters", Page 435.. 1st Edition. Addison Wesley. 2006.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Detection_Factors, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2008-11-24CWE Content TeamMITREInternal
updated Observed_Examples
2009-05-27CWE Content TeamMITREInternal
updated Description, Other_Notes, Relationship_Notes, Time_of_Introduction
2010-02-16CWE Content TeamMITREInternal
updated Relationships
2010-04-05CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2010-06-21CWE Content TeamMITREInternal
updated Demonstrative_Examples
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated References, Related_Attack_Patterns, Relationships
2013-02-21CWE Content TeamMITREInternal
updated Potential_Mitigations
Page Last Updated: February 18, 2014