CWE-692Incomplete Denylist to Cross-Site Scripting

PUBLISHEDweakness record
released 2008-04-11 · last modified 2025-12-11

Metadata

CWE ID:
CWE-692
摘要:
Compound
结构:
Chain
状态:
Draft
发布日期:
2008-04-11
更新日期:
2025-12-11

名称

Incomplete Denylist to Cross-Site Scripting

描述

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The "XSS Cheat Sheet" [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists.

常见后果

范围:
Confidentiality, Integrity, Availability
影响:
Execute Unauthorized Code or Commands

相关 CWE