Incomplete Blacklist to Cross-Site Scripting |
Compound Element ID: 692 (Compound Element Base: Chain) | Status: Draft |
Description Summary
The product uses a blacklist-based protection mechanism to defend against XSS attacks, but the blacklist is incomplete, allowing XSS variants to succeed.
Reference | Description |
---|---|
CVE-2007-5727 | Blacklist only removes <SCRIPT> tag. |
CVE-2006-3617 | Blacklist only removes <SCRIPT> tag. |
CVE-2006-4308 | Blacklist only checks "javascript:" tag |
While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a blacklist cannot keep track of all the variations. The "XSS Cheat Sheet" (see references) contains a large number of attacks that are intended to bypass incomplete blacklists. |
Nature | Type | ID | Name | View(s) this relationship pertains to | Named Chain(s) this relationship pertains to |
---|---|---|---|---|---|
StartsWith | Weakness Base | 184 | Incomplete Blacklist | Named Chains709 | Incomplete Blacklist to Cross-Site Scripting692 |
ChildOf | Weakness Class | 20 | Improper Input Validation | Research Concepts (primary)1000 |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
85 | Client Network Footprinting (using AJAX/XSS) | |
86 | Embedding Script (XSS ) in HTTP Headers | |
32 | Embedding Scripts in HTTP Query Strings | |
18 | Embedding Scripts in Nonscript Elements | |
19 | Embedding Scripts within Scripts | |
63 | Simple Script Injection | |
71 | Using Unicode Encoding to Bypass Validation Logic | |
80 | Using UTF-8 Encoding to Bypass Validation Logic | |
91 | XSS in IMG Tags |
S. Christey. "Blacklist defenses as a breeding ground for vulnerability variants". February 2006. <http://seclists.org/fulldisclosure/2006/Feb/0040.html>. |
Modifications | ||||
---|---|---|---|---|
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Applicable Platforms, Relationships, Other Notes | ||||
2008-09-24 | CWE Content Team | MITRE | Internal | |
added Language Class "All" | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Applicable Platforms | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Related Attack Patterns |