|
|
|
|
CWE-184 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Draft 184 (Weakness Base) | | Description | Summary An application uses a "blacklist" of prohibited values, but the blacklist is incomplete. | | Weakness Ordinality | Primary (Weakness exists independent of other weaknesses) | | Potential Mitigations | Ensure black list covers all inappropriate content outlined in the Common Weakness
Enumeration. Combine use of black list with appropriate use of white lists. | | Observed Examples | | Reference | Description |
|---|
| CVE-2005-2782 | PHP remote file inclusion in web application that filters "http" and "https" URLs,
but not "ftp". | | CVE-2004-0542 | Programming language does not filter certain shell metacharacters in Windows
environment. | | CVE-2004-0595 | XSS filter doesn't filter null characters before looking for dangerous tags, which
are ignored by web browsers. MIE and validate-before-cleanse. | | CVE-2005-3287 | Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web
server, even though others are prohibited. | | CVE-2004-2351 | Resultant XSS from incomplete blacklist (only <script> and
<style> are checked). | | CVE-2005-2959 | Privileged program does not clear sensitive environment variables that are used by
bash. Overlaps multiple interpretation error. | | CVE-2005-1824 | SQL injection protection scheme does not quote the "\" special character. | | CVE-2005-2184 | Incomplete blacklist prevents user from automatically executing .EXE files, but
allows .LNK, allowing resultant Windows symbolic link. | | CVE-2007-1343 | product doesn't protect one dangerous variable against external modification | | CVE-2007-5727 | Chain: only removes SCRIPT tags, enabling XSS | | CVE-2006-4308 | Chain: only checks "javascript:" tag | | CVE-2007-3572 | Chain: incomplete blacklist for OS command injection |
| | Context Notes | An incomplete blacklist frequently produces resultant weaknesses. Exploitation of those
weaknesses using the obvious manipulations might fail, but minor variations might succeed. Some incomplete blacklist issues might arise from multiple interpretation errors, e.g.
a blacklist for dangerous shell metacharacters might not include a metacharacter that only has
meaning in one particular shell, not all of them; or a blacklist for XSS manipulations might
ignore an unusual construct that's supported by one web browser, but not others. | | References | | | Relationships | | | Source Taxonomies | PLOVER - Incomplete Blacklist | | Applicable Platforms | All | | Time of Introduction | Architecture and Design Implementation | | Related Attack Patterns | | CAPEC-ID | Attack Pattern Name |
|---|
| 3 | Using Leading 'Ghost' Character Sequences to Bypass Input Filters | | 15 | Command Delimiters | | 6 | Argument Injection | | 43 | Exploiting Multiple Input Interpretation Layers | | 71 | Using Unicode Encoding to Bypass Validation Logic | | 18 | Embedding Scripts in Nonscript Elements | | 63 | Simple Script Injection | | 73 | User-Controlled Filename | | 85 | Client Network Footprinting (using AJAX/XSS) | | 86 | Embedding Script (XSS ) in HTTP Headers |
|
|