CWE

Incomplete Blacklist to Cross-Site Scripting

ID: 692		Date: (C)2012-05-14   (M)2022-10-10
Type: compound element		Status: DRAFT
Abstraction Type: Base

Description

The product uses a blacklist-based protection mechanism to defend against XSS attacks, but the blacklist is incomplete, allowing XSS variants to succeed.

Applicable Platforms
Language: C
Language: C++
Language Class: All

Related Attack Patterns

• CAPEC-18
• CAPEC-19
• CAPEC-199
• CAPEC-244
• CAPEC-267
• CAPEC-32
• CAPEC-63
• CAPEC-71
• CAPEC-80
• CAPEC-85
• CAPEC-86
• CAPEC-91

Common Consequences

Scope	Technical Impact	Notes
Confidentiality Integrity Availability	Execute unauthorized code or commands

Detection Methods
None

Potential Mitigations
None

Relationships

Related CWE	Type	View	Chain
CWE-692 StartsWith CWE-184	Weakness	CWE-709	CWE-692

Demonstrative Examples
None

Observed Examples

1. CVE-2007-5727 : Blacklist only removes <SCRIPT> tag.
2. CVE-2006-3617 : Blacklist only removes <SCRIPT> tag.
3. CVE-2006-4308 : Blacklist only checks "javascript:" tag

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings
None

References:

1. S. Christey .Blacklist defenses as a breeding ground for vulnerability variants. Published on February 2006.