CWE-692β€”Incomplete Denylist to Cross-Site Scripting

PUBLISHEDweakness record
released 2008-04-11 Β· last modified 2025-12-11

Metadata

CWE ID:
CWE-692
Abstraction:
Compound
Structure:
Chain
Status:
Draft
Release Date:
2008-04-11
Latest Modification Date:
2025-12-11

Weakness Name

Incomplete Denylist to Cross-Site Scripting

Description

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The "XSS Cheat Sheet" [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists.

Common Consequences

Scope:
Confidentiality, Integrity, Availability
Impact:
Execute Unauthorized Code or Commands

Related Weaknesses