[Forgot Password]
Login  Register Subscribe

23631

 
 

115084

 
 

97147

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Incomplete Blacklist

ID: 184Date: (C)2012-05-14   (M)2017-10-12
Type: weaknessStatus: DRAFT
Abstraction Type: Base





Description

An application uses a "blacklist" of prohibited values, but the blacklist is incomplete.

Extended Description

If an incomplete blacklist is used as a security mechanism, then the software may allow unintended values to pass into the application logic.

Applicable Platforms
Language Class: All

Time Of Introduction

  • Implementation
  • Architecture and Design

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Access_Control
 
Bypass protection mechanism
 
 

Detection Methods

NameDescriptionEffectivenessNotes
Black Box
 
Exploitation of incomplete blacklist weaknesses using the obvious manipulations might fail, but minor variations might succeed.
 
  

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
  Ensure black list covers all inappropriate content outlined in the Common Weakness Enumeration.
 
  
  Combine use of black list with appropriate use of white lists.
 
  
  Do not rely exclusively on blacklist validation to detect malicious input or to encode output. There are too many variants to encode a character; you're likely to miss some variants.
 
  

Relationships
An incomplete blacklist frequently produces resultant weaknesses.
Some incomplete blacklist issues might arise from multiple interpretation errors, e.g. a blacklist for dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a blacklist for XSS manipulations might ignore an unusual construct that's supported by one web browser, but not others.

Related CWETypeViewChain
CWE-184 ChildOf CWE-896 Category CWE-888  

Demonstrative Examples   (Details)

  1. In the following example, an XSS neutralization routine (blacklist) only checks for the lower-case "script" string, which can be easily defeated.

Observed Examples

  1. CVE-2005-2782 : PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp".
  2. CVE-2004-0542 : Programming language does not filter certain shell metacharacters in Windows environment.
  3. CVE-2004-0595 : XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse.
  4. CVE-2005-3287 : Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited.
  5. CVE-2004-2351 : Resultant XSS from incomplete blacklist (only <script> and <style> are checked).
  6. CVE-2005-2959 : Privileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error.
  7. CVE-2005-1824 : SQL injection protection scheme does not quote the "\" special character.
  8. CVE-2005-2184 : Incomplete blacklist prevents user from automatically executing .EXE files, but allows .LNK, allowing resultant Windows symbolic link.
  9. CVE-2007-1343 : product doesn't protect one dangerous variable against external modification
  10. CVE-2007-5727 : Chain: only removes SCRIPT tags, enabling XSS
  11. CVE-2006-4308 : Chain: only checks "javascript:" tag
  12. CVE-2007-3572 : Chain: incomplete blacklist for OS command injection
  13. CVE-2002-0661 : "\" not in blacklist for web server, allowing path traversal attacks when the server is run in Windows and other OSes.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  Incomplete Blacklist
 
 

References:

  1. G. Hoglund G. McGraw .Exploiting Software: How to Break Code. Addison-Wesley. Published on February 2004.
  2. S. Christey .Blacklist defenses as a breeding ground for vulnerability variants. Published on February 2006.
  3. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 8, "Eliminating Metacharacters", Page 435.'. Published on 2006.

© 2013 SecPod Technologies