Incomplete Blacklist to Cross-Site Scripting
Compound Element ID: 692 (Compound Element Base: Chain)Status: Draft
+ Description

Description Summary

The product uses a blacklist-based protection mechanism to defend against XSS attacks, but the blacklist is incomplete, allowing XSS variants to succeed.
+ Applicable Platforms

Languages

C

C++

All

+ Observed Examples
ReferenceDescription
CVE-2007-5727Blacklist only removes <SCRIPT> tag.
CVE-2006-3617Blacklist only removes <SCRIPT> tag.
CVE-2006-4308Blacklist only checks "javascript:" tag
+ Other Notes

While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a blacklist cannot keep track of all the variations. The "XSS Cheat Sheet" (see references) contains a large number of attacks that are intended to bypass incomplete blacklists.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)Named Chain(s) this relationship pertains toChain(s)
StartsWithWeakness BaseWeakness Base184Incomplete Blacklist
Named Chains709
Incomplete Blacklist to Cross-Site Scripting692
ChildOfWeakness ClassWeakness Class20Improper Input Validation
Research Concepts (primary)1000
+ Relevant Properties
  • Validity
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
85Client Network Footprinting (using AJAX/XSS)
86Embedding Script (XSS ) in HTTP Headers
32Embedding Scripts in HTTP Query Strings
18Embedding Scripts in Nonscript Elements
19Embedding Scripts within Scripts
63Simple Script Injection
71Using Unicode Encoding to Bypass Validation Logic
80Using UTF-8 Encoding to Bypass Validation Logic
91XSS in IMG Tags
+ References
S. Christey. "Blacklist defenses as a breeding ground for vulnerability variants". February 2006. <http://seclists.org/fulldisclosure/2006/Feb/0040.html>.
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Applicable Platforms, Relationships, Other Notes
2008-09-24CWE Content TeamMITREInternal
added Language Class "All"
2008-10-14CWE Content TeamMITREInternal
updated Applicable Platforms
2009-03-10CWE Content TeamMITREInternal
updated Related Attack Patterns
Back to top