CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-692: Incomplete Blacklist to Cross-Site Scripting

 
Incomplete Blacklist to Cross-Site Scripting
Compound Element ID: 692 (Compound Element Base: Chain)Status: Draft
+ Description

Description Summary

The product uses a blacklist-based protection mechanism to defend against XSS attacks, but the blacklist is incomplete, allowing XSS variants to succeed.

Extended Description

While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a blacklist cannot keep track of all the variations. The "XSS Cheat Sheet" [R.692.1] contains a large number of attacks that are intended to bypass incomplete blacklists.

+ Applicable Platforms

Languages

Language-independent

+ Common Consequences
ScopeEffect

Technical Impact: Execute unauthorized code or commands

+ Observed Examples
ReferenceDescription
Blacklist only removes <SCRIPT> tag.
Blacklist only removes <SCRIPT> tag.
Blacklist only checks "javascript:" tag
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)Named Chain(s) this relationship pertains toChain(s)
StartsWithWeakness BaseWeakness Base184Incomplete Blacklist
Named Chains709
Incomplete Blacklist to Cross-Site Scripting692
ChildOfWeakness ClassWeakness Class20Improper Input Validation
Research Concepts (primary)1000
+ Relevant Properties
  • Validity
+ References
[R.692.1] S. Christey. "Blacklist defenses as a breeding ground for vulnerability variants". February 2006. <http://seclists.org/fulldisclosure/2006/Feb/0040.html>.
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
updated Time_of_Introduction
2008-09-08MITREInternal
updated Applicable_Platforms, Relationships, Other_Notes
2008-09-24MITREInternal
added Language_Class "All"
2008-10-14MITREInternal
updated Applicable_Platforms
2009-03-10MITREInternal
updated Related_Attack_Patterns
2011-06-01MITREInternal
updated Common_Consequences
2012-05-11MITREInternal
updated Related_Attack_Patterns
2014-06-23MITREInternal
updated Applicable_Platforms, Description, Other_Notes
Page Last Updated: June 23, 2014