CWE-184 不完整的黑名单

Incomplete Blacklist

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown

基本描述

An application uses a "blacklist" of prohibited values, but the blacklist is incomplete.

扩展描述

If an incomplete blacklist is used as a security mechanism, then the software may allow unintended values to pass into the application logic.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 693 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 1023 cwe_View_ID: 1000

  • cwe_Nature: CanPrecede cwe_CWE_ID: 79 cwe_View_ID: 1000 cwe_Chain_ID: 692

  • cwe_Nature: CanPrecede cwe_CWE_ID: 78 cwe_View_ID: 1000

  • cwe_Nature: CanPrecede cwe_CWE_ID: 434 cwe_View_ID: 1000

  • cwe_Nature: CanPrecede cwe_CWE_ID: 98 cwe_View_ID: 1000

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Access Control Bypass Protection Mechanism

检测方法

Black Box

Exploitation of incomplete blacklist weaknesses using the obvious manipulations might fail, but minor variations might succeed.

可能的缓解方案

Implementation

策略: Input Validation

Combine use of blacklist with appropriate use of whitelists.

Implementation

策略: Input Validation

Do not rely exclusively on blacklist validation to detect malicious input or to encode output. There are too many variants to encode a character; you're likely to miss some variants.

示例代码

The following code attempts to stop XSS attacks by removing all occurences of "script" in an input string.

bad Java

public String removeScriptTags(String input, String mask) {
return input.replaceAll("script", mask);
}

Because the code only checks for the lower-case "script" string, it can be easily defeated with upper-case script tags.

分析过的案例

标识 说明 链接
CVE-2005-2782 PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp". https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2782
CVE-2004-0542 Programming language does not filter certain shell metacharacters in Windows environment. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0542
CVE-2004-0595 XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0595
CVE-2005-3287 Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3287
CVE-2004-2351 Resultant XSS from incomplete blacklist (only