CWE 184

Incomplete Blacklist

Weakness ID: 184 (Weakness Base)

Status: Draft

Description

Description Summary

An application uses a "blacklist" of prohibited values, but the blacklist is incomplete.

Extended Description

If an incomplete blacklist is used as a security mechanism, then the software may allow unintended values to pass into the application logic.

Time of Introduction

Implementation
Architecture and Design

Applicable Platforms

Languages

All

Detection Methods

Black Box

Exploitation of incomplete blacklist weaknesses using the obvious manipulations might fail, but minor variations might succeed.

Demonstrative Examples

Example 1

In the following example, an XSS sanitization routine (blacklist) only checks for the lower-case "script" string, which can be easily defeated.

(Bad Code)

Example Language: Java

public String sanitize(String input, String mask) {

return input.replaceAll("script", mask);

}

Observed Examples

Reference	Description
CVE-2005-2782	PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp".
CVE-2004-0542	Programming language does not filter certain shell metacharacters in Windows environment.
CVE-2004-0595	XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse.
CVE-2005-3287	Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited.
CVE-2004-2351	Resultant XSS from incomplete blacklist (only <script> and <style> are checked).
CVE-2005-2959	Privileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error.
CVE-2005-1824	SQL injection protection scheme does not quote the "\" special character.
CVE-2005-2184	Incomplete blacklist prevents user from automatically executing .EXE files, but allows .LNK, allowing resultant Windows symbolic link.
CVE-2007-1343	product doesn't protect one dangerous variable against external modification
CVE-2007-5727	Chain: only removes SCRIPT tags, enabling XSS
CVE-2006-4308	Chain: only checks "javascript:" tag
CVE-2007-3572	Chain: incomplete blacklist for OS command injection
CVE-2002-0661	"\" not in blacklist for web server, allowing path traversal attacks when the server is run in Windows and other OSes.

Potential Mitigations

Ensure black list covers all inappropriate content outlined in the Common Weakness Enumeration.

Combine use of black list with appropriate use of white lists.

Do not rely exclusively on blacklist validation to detect malicious input or to encode output. There are too many variants to encode a character; you're likely to miss some variants.

Weakness Ordinalities

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to	Named Chain(s) this relationship pertains to
ChildOf	Category	171	Cleansing, Canonicalization, and Comparison Errors	Development Concepts (primary)699
ChildOf	Weakness Class	693	Protection Mechanism Failure	Research Concepts (primary)1000
ChildOf	Weakness Class	697	Insufficient Comparison	Research Concepts1000
CanPrecede	Weakness Base	78	Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')	Research Concepts1000
CanPrecede	Weakness Base	79	Failure to Preserve Web Page Structure ('Cross-site Scripting')	Research Concepts1000	Incomplete Blacklist to Cross-Site Scripting692
CanPrecede	Weakness Base	98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')	Research Concepts1000
CanPrecede	Weakness Base	434	Unrestricted Upload of File with Dangerous Type	Research Concepts1000
StartsChain	Compound Element: Chain	692	Incomplete Blacklist to Cross-Site Scripting	Named Chains709	Incomplete Blacklist to Cross-Site Scripting692
PeerOf	Weakness Variant	86	Failure to Sanitize Invalid Characters in Identifiers in Web Pages	Research Concepts1000
PeerOf	Weakness Base	625	Permissive Regular Expression	Research Concepts1000
CanAlsoBe	Weakness Base	186	Overly Restrictive Regular Expression	Research Concepts1000

Relationship Notes

An incomplete blacklist frequently produces resultant weaknesses.

Some incomplete blacklist issues might arise from multiple interpretation errors, e.g. a blacklist for dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a blacklist for XSS manipulations might ignore an unusual construct that's supported by one web browser, but not others.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			Incomplete Blacklist

Related Attack Patterns

CAPEC-ID	Attack Pattern Name	(CAPEC Version: 1.4)
3	Using Leading 'Ghost' Character Sequences to Bypass Input Filters
15	Command Delimiters
43	Exploiting Multiple Input Interpretation Layers
73	User-Controlled Filename
85	Client Network Footprinting (using AJAX/XSS)
6	Argument Injection
86	Embedding Script (XSS ) in HTTP Headers
18	Embedding Scripts in Nonscript Elements
63	Simple Script Injection
71	Using Unicode Encoding to Bypass Validation Logic

References

G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.

S. Christey. "Blacklist defenses as a breeding ground for vulnerability variants". February 2006. <http://seclists.org/fulldisclosure/2006/Feb/0040.html>.

Content History

Submissions
Submission Date	Submitter	Organization	Source
	PLOVER		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Sean Eidemiller	Cigital	External
2008-07-01	added/updated demonstrative examples
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Potential Mitigations, Time of Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Detection Factors, Relationships, Other Notes, Relationship Notes, Taxonomy Mappings, Weakness Ordinalities
2008-11-24	CWE Content Team	MITRE	Internal
2008-11-24	updated Observed Examples
2009-05-27	CWE Content Team	MITRE	Internal
2009-05-27	updated Description, Other Notes, Relationship Notes, Time of Introduction

CWE 184

COMPANY

STANDARDS

RECENT POSTS

MENU