Incomplete BlacklistID: 184 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
An application uses a "blacklist" of prohibited values, but the
blacklist is incomplete.
Extended DescriptionIf an incomplete blacklist is used as a security mechanism, then the
software may allow unintended values to pass into the application logic.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Implementation
- Architecture and Design
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
Access_Control | Bypass protection
mechanism | |
Detection Methods
Name | Description | Effectiveness | Notes |
---|
Black Box | Exploitation of incomplete blacklist weaknesses using the obvious
manipulations might fail, but minor variations might succeed. | | |
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
| | Ensure black list covers all inappropriate content outlined in the
Common Weakness Enumeration. | | |
| | Combine use of black list with appropriate use of white lists. | | |
| | Do not rely exclusively on blacklist validation to detect malicious
input or to encode output. There are too many variants to encode a
character; you're likely to miss some variants. | | |
RelationshipsAn incomplete blacklist frequently produces resultant weaknesses.Some incomplete blacklist issues might arise from multiple interpretation
errors, e.g. a blacklist for dangerous shell metacharacters might not
include a metacharacter that only has meaning in one particular shell, not
all of them; or a blacklist for XSS manipulations might ignore an unusual
construct that's supported by one web browser, but not others.
Related CWE | Type | View | Chain |
---|
CWE-184 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In the following example, an XSS neutralization routine (blacklist)
only checks for the lower-case "script" string, which can be easily
defeated.
Observed Examples
- CVE-2005-2782 : PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp".
- CVE-2004-0542 : Programming language does not filter certain shell metacharacters in Windows environment.
- CVE-2004-0595 : XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse.
- CVE-2005-3287 : Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited.
- CVE-2004-2351 : Resultant XSS from incomplete blacklist (only <script> and <style> are checked).
- CVE-2005-2959 : Privileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error.
- CVE-2005-1824 : SQL injection protection scheme does not quote the "\" special character.
- CVE-2005-2184 : Incomplete blacklist prevents user from automatically executing .EXE files, but allows .LNK, allowing resultant Windows symbolic link.
- CVE-2007-1343 : product doesn't protect one dangerous variable against external modification
- CVE-2007-5727 : Chain: only removes SCRIPT tags, enabling XSS
- CVE-2006-4308 : Chain: only checks "javascript:" tag
- CVE-2007-3572 : Chain: incomplete blacklist for OS command injection
- CVE-2002-0661 : "\" not in blacklist for web server, allowing path traversal attacks when the server is run in Windows and other OSes.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | Incomplete Blacklist | |
References:
- G. Hoglund G. McGraw .Exploiting Software: How to Break Code. Addison-Wesley. Published on February 2004.
- S. Christey .Blacklist defenses as a breeding ground for vulnerability
variants. Published on February 2006.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 8, "Eliminating Metacharacters", Page
435.'. Published on 2006.