CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.8)  

Presentation Filter:

CWE-692: Incomplete Blacklist to Cross-Site Scripting

 
Incomplete Blacklist to Cross-Site Scripting
Compound Element ID: 692 (Compound Element Base: Chain)Status: Draft
+ Description

Description Summary

The product uses a blacklist-based protection mechanism to defend against XSS attacks, but the blacklist is incomplete, allowing XSS variants to succeed.

Extended Description

While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a blacklist cannot keep track of all the variations. The "XSS Cheat Sheet" [R.692.1] contains a large number of attacks that are intended to bypass incomplete blacklists.

+ Applicable Platforms

Languages

Language-independent

+ Common Consequences
ScopeEffect
Confidentiality
Integrity
Availability

Technical Impact: Execute unauthorized code or commands

+ Observed Examples
ReferenceDescription
Blacklist only removes <SCRIPT> tag.
Blacklist only removes <SCRIPT> tag.
Blacklist only checks "javascript:" tag
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)Named Chain(s) this relationship pertains toChain(s)
StartsWithWeakness BaseWeakness Base184Incomplete Blacklist
Named Chains709
Incomplete Blacklist to Cross-Site Scripting692
ChildOfWeakness ClassWeakness Class20Improper Input Validation
Research Concepts (primary)1000
+ Relevant Properties
  • Validity
+ References
[R.692.1] S. Christey. "Blacklist defenses as a breeding ground for vulnerability variants". February 2006. <http://seclists.org/fulldisclosure/2006/Feb/0040.html>.
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Applicable_Platforms, Relationships, Other_Notes
2008-09-24CWE Content TeamMITREInternal
added Language_Class "All"
2008-10-14CWE Content TeamMITREInternal
updated Applicable_Platforms
2009-03-10CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2014-06-23CWE Content TeamMITREInternal
updated Applicable_Platforms, Description, Other_Notes
Page Last Updated: July 30, 2014