CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.0)  
Search by ID:

CWE-692: Incomplete Blacklist to Cross-Site Scripting

Individual Definition in a New Window
Incomplete Blacklist to Cross-Site Scripting
Status: Draft
Compound Element ID: 692 (Compound Element Base: Chain)
Description
Summary

The product uses a blacklist-based protection mechanism to defend against XSS attacks, but the blacklist is incomplete, allowing XSS variants to succeed.

Relevant Properties
* Validity
Observed Examples
ReferenceDescription
Blacklist only removes <SCRIPT> tag.
Blacklist only removes <SCRIPT> tag.
Blacklist only checks "javascript:" tag
Other Notes

While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a blacklist cannot keep track of all the variations. The "XSS Cheat Sheet" (see references) contains a large number of attacks that are intended to bypass incomplete blacklists.

References
S. Christey. "Blacklist defenses as a breeding ground for vulnerability variants". February 2006. <http://seclists.org/fulldisclosure/2006/Feb/0040.html>.
Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)Named Chain(s) this relationship pertains toChain(s)
ChildOfWeakness ClassWeakness ClassWeakness Class20Insufficient Input Validation
Research Concepts (primary)1000
StartsWithWeakness BaseWeakness BaseWeakness Base184Incomplete Blacklist
Named Chains (primary)709
Incomplete Blacklist to Cross-Site Scripting692
Applicable Platforms
Languages
C
C++
Content History
Modifications
Eric Dalci. Cigital. 2008-07-01. (External)
updated Time_of_Introduction
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Applicable_Platforms, Relationships, Other_Notes
Page Last Updated: September 10, 2008