Description

An application uses a "blacklist" of prohibited values, but the blacklist is incomplete.

Extended Description

If an incomplete blacklist is used as a security mechanism, then the software may allow unintended values to pass into the application logic.

Applicable Platforms
Language Class: All

Time Of Introduction

• Implementation
• Architecture and Design

Related Attack Patterns

• CAPEC-15
• CAPEC-174
• CAPEC-18
• CAPEC-182
• CAPEC-3
• CAPEC-43
• CAPEC-6
• CAPEC-63
• CAPEC-71
• CAPEC-73
• CAPEC-85
• CAPEC-86

Common Consequences

Detection Methods

Potential Mitigations

Relationships
An incomplete blacklist frequently produces resultant weaknesses.
Some incomplete blacklist issues might arise from multiple interpretation errors, e.g. a blacklist for dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a blacklist for XSS manipulations might ignore an unusual construct that's supported by one web browser, but not others.

Demonstrative Examples   (Details)

1. In the following example, an XSS neutralization routine (blacklist) only checks for the lower-case "script" string, which can be easily defeated.

Observed Examples

1. CVE-2005-2782 : PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp".
2. CVE-2004-0542 : Programming language does not filter certain shell metacharacters in Windows environment.
3. CVE-2004-0595 : XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse.
4. CVE-2005-3287 : Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited.
5. CVE-2004-2351 : Resultant XSS from incomplete blacklist (only <script> and <style> are checked).
6. CVE-2005-2959 : Privileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error.
7. CVE-2005-1824 : SQL injection protection scheme does not quote the "\" special character.
8. CVE-2005-2184 : Incomplete blacklist prevents user from automatically executing .EXE files, but allows .LNK, allowing resultant Windows symbolic link.
9. CVE-2007-1343 : product doesn't protect one dangerous variable against external modification
10. CVE-2007-5727 : Chain: only removes SCRIPT tags, enabling XSS
11. CVE-2006-4308 : Chain: only checks "javascript:" tag
12. CVE-2007-3572 : Chain: incomplete blacklist for OS command injection
13. CVE-2002-0661 : "\" not in blacklist for web server, allowing path traversal attacks when the server is run in Windows and other OSes.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

References:

1. G. Hoglund G. McGraw .Exploiting Software: How to Break Code. Addison-Wesley. Published on February 2004.
2. S. Christey .Blacklist defenses as a breeding ground for vulnerability variants. Published on February 2006.
3. Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 8, "Eliminating Metacharacters", Page 435.'. Published on 2006.