Incomplete Blacklist to Cross-Site Scripting
|ID: 692||Date: (C)2012-05-14 (M)2012-11-08|
|Type: compound element||Status: DRAFT|
|Abstraction Type: Base|
The product uses a blacklist-based protection mechanism to
defend against XSS attacks, but the blacklist is incomplete, allowing XSS
variants to succeed.
Applicable PlatformsLanguage: CLanguage: C++Language Class: All
Related Attack Patterns
|ConfidentialityIntegrityAvailability ||Execute unauthorized code or
commands || |
|CWE-692 StartsWith CWE-184 ||Weakness ||CWE-709 ||CWE-692 |
- CVE-2007-5727 : Blacklist only removes <SCRIPT> tag.
- CVE-2006-3617 : Blacklist only removes <SCRIPT> tag.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
- S. Christey .Blacklist defenses as a breeding ground for vulnerability
variants. Published on February 2006.