CompoundDraft

CWE-692Incomplete Denylist to Cross-Site Scripting

Category: other

Description

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed. While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The "XSS Cheat Sheet" [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists.

Common consequences· 1

  • Confidentiality / Integrity / Availability — Execute Unauthorized Code or Commands

Related CAPEC attack patterns· 5

CAPEC-120CAPEC-267CAPEC-71CAPEC-80CAPEC-85

References

  1. https://cwe.mitre.org/data/definitions/692.html

Exploits (incoming)5

TypeTargetConfidenceTier
AttackPatternUsing Unicode Encoding to Bypass Validation Logiccapec-71100%live
AttackPatternUsing UTF-8 Encoding to Bypass Validation Logiccapec-80100%live
AttackPatternLeverage Alternate Encodingcapec-267100%live
AttackPatternAJAX Footprintingcapec-85100%live
AttackPatternDouble Encodingcapec-120100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Improper Neutralization of Alternate XSS Syntax
CWE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE
Improper Neutralization of Invalid Characters in Identifiers in Web Pages
CWE
Permissive Cross-domain Security Policy with Untrusted Domains
CWE
XML Injection (aka Blind XPath Injection)
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.