CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-184: Incomplete Blacklist

 
Incomplete Blacklist
Weakness ID: 184 (Weakness Base)Status: Draft
+ Description

Description Summary

An application uses a "blacklist" of prohibited values, but the blacklist is incomplete.

Extended Description

If an incomplete blacklist is used as a security mechanism, then the software may allow unintended values to pass into the application logic.

+ Time of Introduction
  • Implementation
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect

Technical Impact: Bypass protection mechanism

+ Detection Methods

Black Box

Exploitation of incomplete blacklist weaknesses using the obvious manipulations might fail, but minor variations might succeed.

+ Demonstrative Examples

Example 1

In the following example, an XSS neutralization routine (blacklist) only checks for the lower-case "script" string, which can be easily defeated.

(Bad Code)
Example Language: Java 
public String removeScriptTags(String input, String mask) {
return input.replaceAll("script", mask);
}
+ Observed Examples
ReferenceDescription
PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp".
Programming language does not filter certain shell metacharacters in Windows environment.
XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse.
Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited.
Resultant XSS from incomplete blacklist (only <script> and <style> are checked).
Privileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error.
SQL injection protection scheme does not quote the "\" special character.
Incomplete blacklist prevents user from automatically executing .EXE files, but allows .LNK, allowing resultant Windows symbolic link.
product doesn't protect one dangerous variable against external modification
Chain: only removes SCRIPT tags, enabling XSS
Chain: only checks "javascript:" tag
Chain: incomplete blacklist for OS command injection
"\" not in blacklist for web server, allowing path traversal attacks when the server is run in Windows and other OSes.
+ Potential Mitigations

Phase: Implementation

Strategy: Input Validation

Combine use of black list with appropriate use of white lists.

Phase: Implementation

Strategy: Input Validation

Do not rely exclusively on blacklist validation to detect malicious input or to encode output. There are too many variants to encode a character; you're likely to miss some variants.

+ Weakness Ordinalities
OrdinalityDescription
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)Named Chain(s) this relationship pertains toChain(s)
ChildOfCategoryCategory171Cleansing, Canonicalization, and Comparison Errors
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class693Protection Mechanism Failure
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class697Insufficient Comparison
Research Concepts1000
ChildOfCategoryCategory896SFP Cluster: Tainted Input
Software Fault Pattern (SFP) Clusters (primary)888
CanPrecedeWeakness BaseWeakness Base78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Research Concepts1000
CanPrecedeWeakness BaseWeakness Base79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Research Concepts1000
Incomplete Blacklist to Cross-Site Scripting692
CanPrecedeWeakness BaseWeakness Base98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Research Concepts1000
CanPrecedeWeakness BaseWeakness Base434Unrestricted Upload of File with Dangerous Type
Research Concepts1000
StartsChainCompound Element: ChainCompound Element: Chain692Incomplete Blacklist to Cross-Site Scripting
Named Chains709
Incomplete Blacklist to Cross-Site Scripting692
PeerOfWeakness VariantWeakness Variant86Improper Neutralization of Invalid Characters in Identifiers in Web Pages
Research Concepts1000
PeerOfWeakness BaseWeakness Base625Permissive Regular Expression
Research Concepts1000
CanAlsoBeWeakness BaseWeakness Base186Overly Restrictive Regular Expression
Research Concepts1000
+ Relationship Notes

An incomplete blacklist frequently produces resultant weaknesses.

Some incomplete blacklist issues might arise from multiple interpretation errors, e.g. a blacklist for dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a blacklist for XSS manipulations might ignore an unusual construct that's supported by one web browser, but not others.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERIncomplete Blacklist
+ References
G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
S. Christey. "Blacklist defenses as a breeding ground for vulnerability variants". February 2006. <http://seclists.org/fulldisclosure/2006/Feb/0040.html>.
[REF-7] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 8, "Eliminating Metacharacters", Page 435.. 1st Edition. Addison Wesley. 2006.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
added/updated demonstrative examples
2008-07-01CigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08MITREInternal
updated Detection_Factors, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2008-11-24MITREInternal
updated Observed_Examples
2009-05-27MITREInternal
updated Description, Other_Notes, Relationship_Notes, Time_of_Introduction
2010-02-16MITREInternal
updated Relationships
2010-04-05MITREInternal
updated Related_Attack_Patterns
2010-06-21MITREInternal
updated Demonstrative_Examples
2011-06-01MITREInternal
updated Common_Consequences
2012-05-11MITREInternal
updated References, Related_Attack_Patterns, Relationships
2013-02-21MITREInternal
updated Potential_Mitigations
Page Last Updated: June 23, 2014