[Forgot Password]
Login  Register Subscribe












Paid content will be excluded from the download.

Download | Alert*
view XML

Incomplete Blacklist

ID: 184Date: (C)2012-05-14   (M)2019-07-02
Type: weaknessStatus: DRAFT
Abstraction Type: Base


An application uses a "blacklist" of prohibited values, but the blacklist is incomplete.

Extended Description

If an incomplete blacklist is used as a security mechanism, then the software may allow unintended values to pass into the application logic.

Applicable Platforms
Language Class: All

Time Of Introduction

  • Implementation
  • Architecture and Design

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Bypass protection mechanism

Detection Methods

Black Box
Exploitation of incomplete blacklist weaknesses using the obvious manipulations might fail, but minor variations might succeed.

Potential Mitigations

  Ensure black list covers all inappropriate content outlined in the Common Weakness Enumeration.
  Combine use of black list with appropriate use of white lists.
  Do not rely exclusively on blacklist validation to detect malicious input or to encode output. There are too many variants to encode a character; you're likely to miss some variants.

An incomplete blacklist frequently produces resultant weaknesses.
Some incomplete blacklist issues might arise from multiple interpretation errors, e.g. a blacklist for dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a blacklist for XSS manipulations might ignore an unusual construct that's supported by one web browser, but not others.

Related CWETypeViewChain
CWE-184 ChildOf CWE-896 Category CWE-888  

Demonstrative Examples   (Details)

  1. In the following example, an XSS neutralization routine (blacklist) only checks for the lower-case "script" string, which can be easily defeated.

Observed Examples

  1. CVE-2005-2782 : PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp".
  2. CVE-2004-0542 : Programming language does not filter certain shell metacharacters in Windows environment.
  3. CVE-2004-0595 : XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse.
  4. CVE-2005-3287 : Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited.
  5. CVE-2004-2351 : Resultant XSS from incomplete blacklist (only <script> and <style> are checked).
  6. CVE-2005-2959 : Privileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error.
  7. CVE-2005-1824 : SQL injection protection scheme does not quote the "\" special character.
  8. CVE-2005-2184 : Incomplete blacklist prevents user from automatically executing .EXE files, but allows .LNK, allowing resultant Windows symbolic link.
  9. CVE-2007-1343 : product doesn't protect one dangerous variable against external modification
  10. CVE-2007-5727 : Chain: only removes SCRIPT tags, enabling XSS
  11. CVE-2006-4308 : Chain: only checks "javascript:" tag
  12. CVE-2007-3572 : Chain: incomplete blacklist for OS command injection
  13. CVE-2002-0661 : "\" not in blacklist for web server, allowing path traversal attacks when the server is run in Windows and other OSes.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions

Black Box Definitions

Taxynomy Mappings

PLOVER  Incomplete Blacklist


  1. G. Hoglund G. McGraw .Exploiting Software: How to Break Code. Addison-Wesley. Published on February 2004.
  2. S. Christey .Blacklist defenses as a breeding ground for vulnerability variants. Published on February 2006.
  3. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 8, "Eliminating Metacharacters", Page 435.'. Published on 2006.

© SecPod Technologies