Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE-692: Incomplete Blacklist to Cross-Site Scripting

Compound Element ID: 692
Abstraction: Base
Structure: Chain
Status: Draft
Presentation Filter:
+ Description

Description Summary

The product uses a blacklist-based protection mechanism to defend against XSS attacks, but the blacklist is incomplete, allowing XSS variants to succeed.

Extended Description

While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a blacklist cannot keep track of all the variations. The "XSS Cheat Sheet" [R.692.1] contains a large number of attacks that are intended to bypass incomplete blacklists.

+ Applicable Platforms



+ Common Consequences

Technical Impact: Execute unauthorized code or commands

+ Observed Examples
Blacklist only removes <SCRIPT> tag.
Blacklist only removes <SCRIPT> tag.
Blacklist only checks "javascript:" tag
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)Named Chain(s) this relationship pertains toChain(s)
StartsWithWeakness BaseWeakness Base184Incomplete Blacklist
Named Chains709
Incomplete Blacklist to Cross-Site Scripting692
ChildOfWeakness ClassWeakness Class20Improper Input Validation
Development Concepts (primary)699
Research Concepts (primary)1000
+ Relevant Properties
  • Validity
+ References
[R.692.1] S. Christey. "Blacklist defenses as a breeding ground for vulnerability variants". February 2006. <>.
+ Content History
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Applicable_Platforms, Relationships, Other_Notes
2008-09-24CWE Content TeamMITREInternal
added Language_Class "All"
2008-10-14CWE Content TeamMITREInternal
updated Applicable_Platforms
2009-03-10CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2014-06-23CWE Content TeamMITREInternal
updated Applicable_Platforms, Description, Other_Notes
2017-01-19CWE Content TeamMITREInternal
updated Relationships
2017-05-03CWE Content TeamMITREInternal
updated Related_Attack_Patterns

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017