An application uses a "blacklist" of prohibited values, but the blacklist is incomplete. If an incomplete blacklist is used as a security mechanism, then the software may allow unintended values to pass into the application logic. 699 Category ChildOf 171 1000 Weakness ChildOf 693 1000 Weakness ChildOf 697 1000 692 Weakness CanPrecede 79 1000 Weakness CanPrecede 78 1000 Weakness CanPrecede 434 1000 Weakness CanPrecede 98 888 Category ChildOf 896 An incomplete blacklist frequently produces resultant weaknesses. Some incomplete blacklist issues might arise from multiple interpretation errors, e.g. a blacklist for dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a blacklist for XSS manipulations might ignore an unusual construct that's supported by one web browser, but not others. Primary Implementation Architecture and Design Access_Control Bypass protection mechanism Black Box Exploitation of incomplete blacklist weaknesses using the obvious manipulations might fail, but minor variations might succeed. Ensure black list covers all inappropriate content outlined in the Common Weakness Enumeration. Combine use of black list with appropriate use of white lists. Do not rely exclusively on blacklist validation to detect malicious input or to encode output. There are too many variants to encode a character; you're likely to miss some variants. In the following example, an XSS neutralization routine (blacklist) only checks for the lower-case "script" string, which can be easily defeated. Java public String removeScriptTags(String input, String mask) { return input.replaceAll("script", mask); } CVE-2005-2782 PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp". CVE-2004-0542 Programming language does not filter certain shell metacharacters in Windows environment. CVE-2004-0595 XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse. CVE-2005-3287 Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited. CVE-2004-2351 Resultant XSS from incomplete blacklist (only <script> and <style> are checked). CVE-2005-2959 Privileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error. CVE-2005-1824 SQL injection protection scheme does not quote the "\" special character. CVE-2005-2184 Incomplete blacklist prevents user from automatically executing .EXE files, but allows .LNK, allowing resultant Windows symbolic link. CVE-2007-1343 product doesn't protect one dangerous variable against external modification http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1343 CVE-2007-5727 Chain: only removes SCRIPT tags, enabling XSS CVE-2006-4308 Chain: only checks "javascript:" tag CVE-2007-3572 Chain: incomplete blacklist for OS command injection CVE-2002-0661 "\" not in blacklist for web server, allowing path traversal attacks when the server is run in Windows and other OSes. G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 S. Christey Blacklist defenses as a breeding ground for vulnerability variants February 2006 http://seclists.org/fulldisclosure/2006/Feb/0040.html Mark Dowd John McDonald Justin Schuh The Art of Software Security Assessment Chapter 8, "Eliminating Metacharacters", Page 435. 1st Edition Addison Wesley 2006 Incomplete Blacklist 15 174 18 182 3 43 6 63 71 73 85 86 PLOVER Sean Eidemiller Cigital 2008-07-01 added/updated demonstrative examples Eric Dalci Cigital 2008-07-01 updated Potential_Mitigations, Time_of_Introduction CWE Content Team MITRE 2008-09-08 updated Detection_Factors, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities CWE Content Team MITRE 2008-11-24 updated Observed_Examples CWE Content Team MITRE 2009-05-27 updated Description, Other_Notes, Relationship_Notes, Time_of_Introduction CWE Content Team MITRE 2010-02-16 updated Relationships CWE Content Team MITRE 2010-04-05 updated Related_Attack_Patterns CWE Content Team MITRE 2010-06-21 updated Demonstrative_Examples CWE Content Team MITRE 2011-06-01 updated Common_Consequences CWE Content Team MITRE 2012-05-11 updated References, Related_Attack_Patterns, Relationships