Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE-184: Incomplete Blacklist

Weakness ID: 184
Abstraction: Base
Status: Draft
Presentation Filter:
+ Description

Description Summary

An application uses a "blacklist" of prohibited values, but the blacklist is incomplete.

Extended Description

If an incomplete blacklist is used as a security mechanism, then the software may allow unintended values to pass into the application logic.

+ Time of Introduction
  • Implementation
  • Architecture and Design
+ Applicable Platforms



+ Common Consequences
Access Control

Technical Impact: Bypass protection mechanism

+ Detection Methods

Black Box

Exploitation of incomplete blacklist weaknesses using the obvious manipulations might fail, but minor variations might succeed.

+ Demonstrative Examples

Example 1

The following code attempts to stop XSS attacks by removing all occurences of "script" in an input string.

(Bad Code)
Example Language: Java 
public String removeScriptTags(String input, String mask) {
return input.replaceAll("script", mask);

Because the code only checks for the lower-case "script" string, it can be easily defeated with upper-case script tags.

+ Observed Examples
PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp".
Programming language does not filter certain shell metacharacters in Windows environment.
XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse.
Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited.
Resultant XSS from incomplete blacklist (only <script> and <style> are checked).
Privileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error.
SQL injection protection scheme does not quote the "\" special character.
Incomplete blacklist prevents user from automatically executing .EXE files, but allows .LNK, allowing resultant Windows symbolic link.
product doesn't protect one dangerous variable against external modification
Chain: only removes SCRIPT tags, enabling XSS
Chain: only checks "javascript:" tag
Chain: incomplete blacklist for OS command injection
"\" not in blacklist for web server, allowing path traversal attacks when the server is run in Windows and other OSes.
+ Potential Mitigations

Phase: Implementation

Strategy: Input Validation

Combine use of blacklist with appropriate use of whitelists.

Phase: Implementation

Strategy: Input Validation

Do not rely exclusively on blacklist validation to detect malicious input or to encode output. There are too many variants to encode a character; you're likely to miss some variants.

+ Weakness Ordinalities
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)Named Chain(s) this relationship pertains toChain(s)
ChildOfCategoryCategory171Cleansing, Canonicalization, and Comparison Errors
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class693Protection Mechanism Failure
Research Concepts (primary)1000
Weaknesses for Simplified Mapping of Published Vulnerabilities (primary)1003
ChildOfWeakness ClassWeakness Class697Insufficient Comparison
Research Concepts1000
ChildOfCategoryCategory990SFP Secondary Cluster: Tainted Input to Command
Software Fault Pattern (SFP) Clusters (primary)888
CanPrecedeWeakness BaseWeakness Base78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Research Concepts1000
CanPrecedeWeakness BaseWeakness Base79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Research Concepts1000
Incomplete Blacklist to Cross-Site Scripting692
CanPrecedeWeakness BaseWeakness Base98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Research Concepts1000
CanPrecedeWeakness BaseWeakness Base434Unrestricted Upload of File with Dangerous Type
Research Concepts1000
StartsChainCompound Element: ChainCompound Element: Chain692Incomplete Blacklist to Cross-Site Scripting
Named Chains709
Incomplete Blacklist to Cross-Site Scripting692
PeerOfWeakness VariantWeakness Variant86Improper Neutralization of Invalid Characters in Identifiers in Web Pages
Research Concepts1000
PeerOfWeakness BaseWeakness Base625Permissive Regular Expression
Research Concepts1000
CanAlsoBeWeakness BaseWeakness Base186Overly Restrictive Regular Expression
Research Concepts1000
+ Relationship Notes

An incomplete blacklist frequently produces resultant weaknesses.

Some incomplete blacklist issues might arise from multiple interpretation errors, e.g. a blacklist for dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a blacklist for XSS manipulations might ignore an unusual construct that's supported by one web browser, but not others.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERIncomplete Blacklist
+ References
G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
S. Christey. "Blacklist defenses as a breeding ground for vulnerability variants". February 2006. <>.
[REF-7] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 8, "Eliminating Metacharacters", Page 435.. 1st Edition. Addison Wesley. 2006.
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Detection_Factors, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2008-11-24CWE Content TeamMITREInternal
updated Observed_Examples
2009-05-27CWE Content TeamMITREInternal
updated Description, Other_Notes, Relationship_Notes, Time_of_Introduction
2010-02-16CWE Content TeamMITREInternal
updated Relationships
2010-04-05CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2010-06-21CWE Content TeamMITREInternal
updated Demonstrative_Examples
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated References, Related_Attack_Patterns, Relationships
2013-02-21CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-07-30CWE Content TeamMITREInternal
updated Demonstrative_Examples, Relationships
2015-12-07CWE Content TeamMITREInternal
updated Relationships
2017-05-03CWE Content TeamMITREInternal
updated Potential_Mitigations, Related_Attack_Patterns

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017