CWE-692: Incomplete Denylist to Cross-Site Scripting

Description

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

Extended Description

While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The "XSS Cheat Sheet" [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists.

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2007-5727

Denylist only removes <SCRIPT> tag.
CVE: CVE-2006-3617

Denylist only removes <SCRIPT> tag.
CVE: CVE-2006-4308

Denylist only checks "javascript:" tag

Related Attack Patterns (CAPEC)

Attack TTPs

T1027 — Obfuscated Files or Information (defense-evasion)

Malware

APTs (Intrusion Sets)

Modes of Introduction

Phase	Note
None listed.

Common Consequences

Impact: Execute Unauthorized Code or Commands — Notes:

Potential Mitigations

None listed.

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

N/A

Notes

No notes available.

← Back to CWE list