CWE-692 - Incomplete Denylist to Cross-Site Scripting

CWE-692

Abstraction:
Compound

Structure:
Chain

Status:
Draft

Weakness Name: Incomplete Denylist to Cross-Site Scripting

Description: The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.
While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The "XSS Cheat Sheet" [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists.

Common Consequences: Scope: Confidentiality, Integrity, Availability
Impact: Execute Unauthorized Code or Commands

Related Weaknesses: CWE-184Incomplete List of Disallowed Inputs

Release Date:
2008-04-11

Latest Modification Date:
2023-06-29

Free security scan for your website

Don't show website scan report rating on the leaderboard