[Forgot Password]
Login  Register Subscribe

23631

 
 

115084

 
 

97147

 
 

909

 
 

78764

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Incomplete Blacklist to Cross-Site Scripting

ID: 692Date: (C)2012-05-14   (M)2012-11-08
Type: compound elementStatus: DRAFT
Abstraction Type: Base





Description

The product uses a blacklist-based protection mechanism to defend against XSS attacks, but the blacklist is incomplete, allowing XSS variants to succeed.

Applicable Platforms
Language: C
Language: C++
Language Class: All

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
Integrity
Availability
 
Execute unauthorized code or commands
 
 

Detection Methods
None

Potential Mitigations
None

Relationships

Related CWETypeViewChain
CWE-692 StartsWith CWE-184 Weakness CWE-709 CWE-692 

Demonstrative Examples
None

Observed Examples

  1. CVE-2007-5727 : Blacklist only removes <SCRIPT> tag.
  2. CVE-2006-3617 : Blacklist only removes <SCRIPT> tag.
  3. CVE-2006-4308 : Blacklist only checks "javascript:" tag

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings
None

References:

  1. S. Christey .Blacklist defenses as a breeding ground for vulnerability variants. Published on February 2006.

© 2013 SecPod Technologies