Incomplete Blacklist
Weakness ID: 184 (Weakness Base)Status: Draft
+ Description

Description Summary

An application uses a "blacklist" of prohibited values, but the blacklist is incomplete.

Extended Description

If an incomplete blacklist is used as a security mechanism, then the software may allow unintended values to pass into the application logic.

+ Time of Introduction
  • Implementation
  • Architecture and Design
+ Applicable Platforms



+ Detection Methods

Black Box

Exploitation of incomplete blacklist weaknesses using the obvious manipulations might fail, but minor variations might succeed.

+ Demonstrative Examples

Example 1

In the following example, an XSS sanitization routine (blacklist) only checks for the lower-case "script" string, which can be easily defeated.

(Bad Code)
Example Language: Java 
public String sanitize(String input, String mask) {
return input.replaceAll("script", mask);
+ Observed Examples
CVE-2005-2782PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp".
CVE-2004-0542Programming language does not filter certain shell metacharacters in Windows environment.
CVE-2004-0595XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse.
CVE-2005-3287Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited.
CVE-2004-2351Resultant XSS from incomplete blacklist (only <script> and <style> are checked).
CVE-2005-2959Privileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error.
CVE-2005-1824SQL injection protection scheme does not quote the "\" special character.
CVE-2005-2184Incomplete blacklist prevents user from automatically executing .EXE files, but allows .LNK, allowing resultant Windows symbolic link.
CVE-2007-1343product doesn't protect one dangerous variable against external modification
CVE-2007-5727Chain: only removes SCRIPT tags, enabling XSS
CVE-2006-4308Chain: only checks "javascript:" tag
CVE-2007-3572Chain: incomplete blacklist for OS command injection
CVE-2002-0661"\" not in blacklist for web server, allowing path traversal attacks when the server is run in Windows and other OSes.
+ Potential Mitigations

Ensure black list covers all inappropriate content outlined in the Common Weakness Enumeration.

Combine use of black list with appropriate use of white lists.

Do not rely exclusively on blacklist validation to detect malicious input or to encode output. There are too many variants to encode a character; you're likely to miss some variants.

+ Weakness Ordinalities
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)Named Chain(s) this relationship pertains toChain(s)
ChildOfCategoryCategory171Cleansing, Canonicalization, and Comparison Errors
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class693Protection Mechanism Failure
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class697Insufficient Comparison
Research Concepts1000
CanPrecedeWeakness BaseWeakness Base78Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
Research Concepts1000
CanPrecedeWeakness BaseWeakness Base79Failure to Preserve Web Page Structure ('Cross-site Scripting')
Research Concepts1000
Incomplete Blacklist to Cross-Site Scripting692
CanPrecedeWeakness BaseWeakness Base98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
Research Concepts1000
CanPrecedeWeakness BaseWeakness Base434Unrestricted Upload of File with Dangerous Type
Research Concepts1000
StartsChainCompound Element: ChainCompound Element: Chain692Incomplete Blacklist to Cross-Site Scripting
Named Chains709
Incomplete Blacklist to Cross-Site Scripting692
PeerOfWeakness VariantWeakness Variant86Failure to Sanitize Invalid Characters in Identifiers in Web Pages
Research Concepts1000
PeerOfWeakness BaseWeakness Base625Permissive Regular Expression
Research Concepts1000
CanAlsoBeWeakness BaseWeakness Base186Overly Restrictive Regular Expression
Research Concepts1000
+ Relationship Notes

An incomplete blacklist frequently produces resultant weaknesses.

Some incomplete blacklist issues might arise from multiple interpretation errors, e.g. a blacklist for dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a blacklist for XSS manipulations might ignore an unusual construct that's supported by one web browser, but not others.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERIncomplete Blacklist
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
3Using Leading 'Ghost' Character Sequences to Bypass Input Filters
15Command Delimiters
43Exploiting Multiple Input Interpretation Layers
73User-Controlled Filename
85Client Network Footprinting (using AJAX/XSS)
6Argument Injection
86Embedding Script (XSS ) in HTTP Headers
18Embedding Scripts in Nonscript Elements
63Simple Script Injection
71Using Unicode Encoding to Bypass Validation Logic
+ References
G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
S. Christey. "Blacklist defenses as a breeding ground for vulnerability variants". February 2006. <>.
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Detection Factors, Relationships, Other Notes, Relationship Notes, Taxonomy Mappings, Weakness Ordinalities
2008-11-24CWE Content TeamMITREInternal
updated Observed Examples
2009-05-27CWE Content TeamMITREInternal
updated Description, Other Notes, Relationship Notes, Time of Introduction