Incomplete Blacklist |
Weakness ID: 184 (Weakness Base) | Status: Draft |
Description Summary
Extended Description
If an incomplete blacklist is used as a security mechanism, then the software may allow unintended values to pass into the application logic.
Black Box Exploitation of incomplete blacklist weaknesses using the obvious manipulations might fail, but minor variations might succeed. |
Example 1
In the following example, an XSS sanitization routine (blacklist) only checks for the lower-case "script" string, which can be easily defeated.
Reference | Description |
---|---|
CVE-2005-2782 | PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp". |
CVE-2004-0542 | Programming language does not filter certain shell metacharacters in Windows environment. |
CVE-2004-0595 | XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse. |
CVE-2005-3287 | Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited. |
CVE-2004-2351 | Resultant XSS from incomplete blacklist (only <script> and <style> are checked). |
CVE-2005-2959 | Privileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error. |
CVE-2005-1824 | SQL injection protection scheme does not quote the "\" special character. |
CVE-2005-2184 | Incomplete blacklist prevents user from automatically executing .EXE files, but allows .LNK, allowing resultant Windows symbolic link. |
CVE-2007-1343 | product doesn't protect one dangerous variable against external modification |
CVE-2007-5727 | Chain: only removes SCRIPT tags, enabling XSS |
CVE-2006-4308 | Chain: only checks "javascript:" tag |
CVE-2007-3572 | Chain: incomplete blacklist for OS command injection |
CVE-2002-0661 | "\" not in blacklist for web server, allowing path traversal attacks when the server is run in Windows and other OSes. |
Ensure black list covers all inappropriate content outlined in the Common Weakness Enumeration. |
Combine use of black list with appropriate use of white lists. |
Do not rely exclusively on blacklist validation to detect malicious input or to encode output. There are too many variants to encode a character; you're likely to miss some variants. |
Ordinality | Description |
---|---|
Primary | (where the weakness exists independent of other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to | Named Chain(s) this relationship pertains to |
---|---|---|---|---|---|
ChildOf | Category | 171 | Cleansing, Canonicalization, and Comparison Errors | Development Concepts (primary)699 | |
ChildOf | Weakness Class | 693 | Protection Mechanism Failure | Research Concepts (primary)1000 | |
ChildOf | Weakness Class | 697 | Insufficient Comparison | Research Concepts1000 | |
CanPrecede | Weakness Base | 78 | Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') | Research Concepts1000 | |
CanPrecede | Weakness Base | 79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') | Research Concepts1000 | Incomplete Blacklist to Cross-Site Scripting692 |
CanPrecede | Weakness Base | 98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') | Research Concepts1000 | |
CanPrecede | Weakness Base | 434 | Unrestricted Upload of File with Dangerous Type | Research Concepts1000 | |
StartsChain | Compound Element: Chain | 692 | Incomplete Blacklist to Cross-Site Scripting | Named Chains709 | Incomplete Blacklist to Cross-Site Scripting692 |
PeerOf | Weakness Variant | 86 | Failure to Sanitize Invalid Characters in Identifiers in Web Pages | Research Concepts1000 | |
PeerOf | Weakness Base | 625 | Permissive Regular Expression | Research Concepts1000 | |
CanAlsoBe | Weakness Base | 186 | Overly Restrictive Regular Expression | Research Concepts1000 |
An incomplete blacklist frequently produces resultant weaknesses. Some incomplete blacklist issues might arise from multiple interpretation errors, e.g. a blacklist for dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a blacklist for XSS manipulations might ignore an unusual construct that's supported by one web browser, but not others. |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
3 | Using Leading 'Ghost' Character Sequences to Bypass Input Filters | |
15 | Command Delimiters | |
43 | Exploiting Multiple Input Interpretation Layers | |
73 | User-Controlled Filename | |
85 | Client Network Footprinting (using AJAX/XSS) | |
6 | Argument Injection | |
86 | Embedding Script (XSS ) in HTTP Headers | |
18 | Embedding Scripts in Nonscript Elements | |
63 | Simple Script Injection | |
71 | Using Unicode Encoding to Bypass Validation Logic |
G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004. |
S. Christey. "Blacklist defenses as a breeding ground for vulnerability variants". February 2006. <http://seclists.org/fulldisclosure/2006/Feb/0040.html>. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Sean Eidemiller | Cigital | External | |
added/updated demonstrative examples | ||||
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Detection Factors, Relationships, Other Notes, Relationship Notes, Taxonomy Mappings, Weakness Ordinalities | ||||
2008-11-24 | CWE Content Team | MITRE | Internal | |
updated Observed Examples | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Description, Other Notes, Relationship Notes, Time of Introduction |