CWE-692: Incomplete Denylist to Cross-Site Scripting
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.
扩展描述
While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The "XSS Cheat Sheet" [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists.
常见后果
影响范围: Confidentiality Integrity Availability
技术影响: Execute Unauthorized Code or Commands
观察示例
参考: CVE-2007-5727
Denylist only removes <SCRIPT> tag.
参考: CVE-2006-3617
Denylist only removes <SCRIPT> tag.
参考: CVE-2006-4308
Denylist only checks "javascript:" tag
适用平台
编程语言
关键信息
CWE ID: CWE-692
抽象级别: Compound
结构: Chain
状态: Draft