CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.6)  

Presentation Filter:

CWE-692: Incomplete Blacklist to Cross-Site Scripting

 
Incomplete Blacklist to Cross-Site Scripting
Compound Element ID: 692 (Compound Element Base: Chain)Status: Draft
+ Description

Description Summary

The product uses a blacklist-based protection mechanism to defend against XSS attacks, but the blacklist is incomplete, allowing XSS variants to succeed.
+ Applicable Platforms

Languages

C

C++

All

+ Common Consequences
ScopeEffect
Confidentiality
Integrity
Availability

Technical Impact: Execute unauthorized code or commands

+ Observed Examples
ReferenceDescription
CVE-2007-5727Blacklist only removes <SCRIPT> tag.
CVE-2006-3617Blacklist only removes <SCRIPT> tag.
CVE-2006-4308Blacklist only checks "javascript:" tag
+ Other Notes

While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a blacklist cannot keep track of all the variations. The "XSS Cheat Sheet" (see references) contains a large number of attacks that are intended to bypass incomplete blacklists.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)Named Chain(s) this relationship pertains toChain(s)
StartsWithWeakness BaseWeakness Base184Incomplete Blacklist
Named Chains709
Incomplete Blacklist to Cross-Site Scripting692
ChildOfWeakness ClassWeakness Class20Improper Input Validation
Research Concepts (primary)1000
+ Relevant Properties
  • Validity
+ References
S. Christey. "Blacklist defenses as a breeding ground for vulnerability variants". February 2006. <http://seclists.org/fulldisclosure/2006/Feb/0040.html>.
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Applicable_Platforms, Relationships, Other_Notes
2008-09-24CWE Content TeamMITREInternal
added Language_Class "All"
2008-10-14CWE Content TeamMITREInternal
updated Applicable_Platforms
2009-03-10CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Related_Attack_Patterns
Page Last Updated: February 18, 2014