Incomplete Blacklist to Cross-Site Scripting
Compound Element ID: 692 (Compound Element Base: Chain) Status: Draft
The product uses a blacklist-based
protection mechanism to defend against XSS attacks, but the blacklist is incomplete, allowing XSS variants to succeed.
Technical Impact: Execute unauthorized code or
While XSS might seem simple to prevent, web browsers vary so widely in how
they parse web pages, that a blacklist cannot keep track of all the
variations. The "XSS Cheat Sheet" (see references) contains a large number
of attacks that are intended to bypass incomplete blacklists.
Nature Type ID Name View(s) this relationship pertains to Named Chain(s) this relationship pertains
to StartsWith Weakness Base 184 Incomplete Blacklist Named Chains709 Incomplete Blacklist to Cross-Site Scripting692
ChildOf Weakness Class 20 Improper Input Validation Research Concepts 1000 (primary)
Modifications Modification Date Modifier Organization Source 2008-07-01 Eric Dalci Cigital External updated Time_of_Introduction 2008-09-08 CWE Content Team MITRE Internal updated Applicable_Platforms, Relationships,
Other_Notes 2008-09-24 CWE Content Team MITRE Internal added Language_Class "All" 2008-10-14 CWE Content Team MITRE Internal updated Applicable_Platforms 2009-03-10 CWE Content Team MITRE Internal updated Related_Attack_Patterns 2011-06-01 CWE Content Team MITRE Internal updated Common_Consequences 2012-05-11 CWE Content Team MITRE Internal updated Related_Attack_Patterns