CWE-692
Incomplete Denylist to Cross-Site Scripting
Description
The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.
While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The "XSS Cheat Sheet" [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists.
Parent Weaknesses (ChildOf)
Related Weaknesses
Common Consequences
Scope
Impact
Execute Unauthorized Code or Commands
CVE-2007-5727Denylist only removes <SCRIPT> tag.
CVE-2006-3617Denylist only removes <SCRIPT> tag.
CVE-2006-4308Denylist only checks "javascript:" tag
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now