Incomplete Denylist to Cross-Site Scripting

Draft Compound

Structure: Chain

Description

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

Extended Description

While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The "XSS Cheat Sheet" [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists.

Common Consequences 1

Scope: ConfidentialityIntegrityAvailability

Impact: Execute Unauthorized Code or Commands

Observed Examples 3

CVE-2007-5727Denylist only removes <SCRIPT> tag.

CVE-2006-3617Denylist only removes <SCRIPT> tag.

CVE-2006-4308Denylist only checks "javascript:" tag

References 1

XSS (Cross Site Scripting) Cheat Sheet

RSnake

http://ha.ckers.org/xss.html

ID: REF-714

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Related Attack Patterns

Related Weaknesses

StartsWith:

Incomplete List of Disallowed Inputs (CWE-184)

ChildOf:

Incomplete List of Disallowed Inputs (CWE-184)