{"@ID": "184", "@Name": "Incomplete List of Disallowed Inputs", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "@Diagram": "/data/images/CWE-184-Diagram.png", "Description": "The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "693", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "1023", "@View_ID": "1000"}, {"@Nature": "CanPrecede", "@CWE_ID": "79", "@View_ID": "1000", "@Chain_ID": "692"}, {"@Nature": "CanPrecede", "@CWE_ID": "78", "@View_ID": "1000"}, {"@Nature": "CanPrecede", "@CWE_ID": "434", "@View_ID": "1000"}, {"@Nature": "CanPrecede", "@CWE_ID": "98", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": {"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}}, "Alternate_Terms": {"Alternate_Term": [{"Term": "Denylist / Deny List", "Description": "This is used by CWE and CAPEC instead of other commonly-used terms.  Its counterpart is allowlist."}, {"Term": "Blocklist / Block List", "Description": "This is often used by security tools such as firewalls, email or web gateways, proxies, etc."}, {"Term": "Blacklist / Black List", "Description": "This term is frequently used, but usage has been declining as organizations have started to adopt other terms."}]}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Implementation", "Note": "Developers often try to protect their products against malicious input by checking against lists of known bad inputs, such as special characters that can invoke new commands. However, such lists often only address the most well-known bad inputs. As a quick fix, developers might rely on these lists instead of addressing the root cause of the issue. See [REF-141]."}, {"Phase": "Architecture and Design", "Note": "The design might rely solely on detection of malicious inputs as a protection mechanism."}]}, "Common_Consequences": {"Consequence": {"Scope": "Access Control", "Impact": "Bypass Protection Mechanism", "Note": "Attackers may be able to find other malicious inputs that were not expected by the developer, allowing them to bypass the intended protection mechanism."}}, "Detection_Methods": {"Detection_Method": {"Method": "Black Box", "Description": "Exploitation of a vulnerability with commonly-used manipulations might fail, but minor variations might succeed."}}, "Potential_Mitigations": {"Mitigation": {"Phase": "Implementation", "Strategy": "Input Validation", "Description": "Do not rely exclusively on detecting disallowed inputs.  There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants.  Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify \"good\" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs."}}, "Demonstrative_Examples": {"Demonstrative_Example": [{"@Demonstrative_Example_ID": "DX-226", "Intro_Text": "The following code attempts to stop XSS attacks by removing all occurences of \"script\" in an input string.", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "#text": "return input.replaceAll(\"script\", mask);"}, "#text": "public String removeScriptTags(String input, String mask) {}"}}, "Body_Text": "Because the code only checks for the lower-case \"script\" string, it can be easily defeated with upper-case script tags."}, {"@Demonstrative_Example_ID": "DX-225", "Intro_Text": "This example takes user input, passes it through an encoding scheme, then lists the contents of the user's home directory based on the user name.", "Example_Code": [{"@Nature": "Bad", "@Language": "Perl", "xhtml:div": {"xhtml:div": [{"@style": "margin-left:1em;", "#text": "return($ARGV[0]);"}, {"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null, null, null], "#text": "my($str) = @_;$str =~ s/\\&/\\&amp;/gs;$str =~ s/\\\"/\\&quot;/gs;$str =~ s/\\'/\\&apos;/gs;$str =~ s/\\</\\&lt;/gs;$str =~ s/\\>/\\&gt;/gs;return($str);"}, {"@style": "margin-left:1em;", "xhtml:br": [null, null, null], "#text": "my $uname = encode(GetUntrustedInput(\"username\"));print \"<b>Welcome, $uname!</b><p>\\n\";system(\"cd /home/$uname; /bin/ls -l\");"}], "xhtml:br": [null, null, null, null], "#text": "sub GetUntrustedInput {}\n                     sub encode {}\n                     sub doit {}"}}, {"@Nature": "Attack", "xhtml:div": "' pwd"}], "Body_Text": ["The programmer attempts to encode dangerous characters, however the denylist for encoding is incomplete (CWE-184) and an attacker can still pass a semicolon, resulting in a chain with OS command injection (CWE-78).", "Additionally, the encoding routine is used inappropriately with command execution. An attacker doesn't even need to insert their own semicolon. The attacker can instead leverage the encoding routine to provide the semicolon to separate the commands. If an attacker supplies a string of the form:", "then the program will encode the apostrophe and insert the semicolon, which functions as a command separator when passed to the system function. This allows the attacker to complete the command injection."]}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2024-6091", "Description": "Chain: AI agent platform does not restrict pathnames containing internal \"/./\" sequences (CWE-55), leading to an incomplete denylist (CWE-184) that does not prevent OS command injection (CWE-78)", "Link": "https://www.cve.org/CVERecord?id=CVE-2024-6091"}, {"Reference": "CVE-2024-4315", "Description": "Chain: API for text generation using Large Language Models (LLMs) does\n\t\t\t   not include the \"\\\" Windows folder separator in its denylist (CWE-184)\n\t\t\t   when attempting to prevent Local File Inclusion via path traversal\n\t\t\t   (CWE-22), allowing deletion of arbitrary files on Windows systems.", "Link": "https://www.cve.org/CVERecord?id=CVE-2024-4315"}, {"Reference": "CVE-2024-44335", "Description": "Chain: filter only checks for some shell-injection characters (CWE-184), enabling OS command injection (CWE-78)", "Link": "https://www.cve.org/CVERecord?id=CVE-2024-44335"}, {"Reference": "CVE-2008-2309", "Description": "product uses a denylist to identify potentially dangerous content, allowing attacker to bypass a warning", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-2309"}, {"Reference": "CVE-2005-2782", "Description": "PHP remote file inclusion in web application that filters \"http\" and \"https\" URLs, but not \"ftp\".", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-2782"}, {"Reference": "CVE-2004-0542", "Description": "Programming language does not filter certain shell metacharacters in Windows environment.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-0542"}, {"Reference": "CVE-2004-0595", "Description": "XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-0595"}, {"Reference": "CVE-2005-3287", "Description": "Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-3287"}, {"Reference": "CVE-2004-2351", "Description": "Resultant XSS when only <script> and <style> are checked.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-2351"}, {"Reference": "CVE-2005-2959", "Description": "Privileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-2959"}, {"Reference": "CVE-2005-1824", "Description": "SQL injection protection scheme does not quote the \"\\\" special character.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-1824"}, {"Reference": "CVE-2005-2184", "Description": "Detection of risky filename extensions prevents users from automatically executing .EXE files, but .LNK is accepted, allowing resultant Windows symbolic link.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-2184"}, {"Reference": "CVE-2007-1343", "Description": "Product uses list of protected variables, but accidentally omits one dangerous variable, allowing external modification", "Link": "https://www.cve.org/CVERecord?id=CVE-2007-1343"}, {"Reference": "CVE-2007-5727", "Description": "Chain: product only removes SCRIPT tags (CWE-184), enabling XSS (CWE-79)", "Link": "https://www.cve.org/CVERecord?id=CVE-2007-5727"}, {"Reference": "CVE-2006-4308", "Description": "Chain: product only checks for use of \"javascript:\" tag (CWE-184), allowing XSS (CWE-79) using other tags", "Link": "https://www.cve.org/CVERecord?id=CVE-2006-4308"}, {"Reference": "CVE-2007-3572", "Description": "Chain: OS command injection (CWE-78) enabled by using an unexpected character that is not explicitly disallowed (CWE-184)", "Link": "https://www.cve.org/CVERecord?id=CVE-2007-3572"}, {"Reference": "CVE-2002-0661", "Description": "\"\\\" not in list of disallowed values for web server, allowing path traversal attacks when the server is run on Windows and other OSes.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-0661"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": {"@Taxonomy_Name": "PLOVER", "Entry_Name": "Incomplete Blacklist"}}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "120"}, {"@CAPEC_ID": "15"}, {"@CAPEC_ID": "182"}, {"@CAPEC_ID": "3"}, {"@CAPEC_ID": "43"}, {"@CAPEC_ID": "6"}, {"@CAPEC_ID": "71"}, {"@CAPEC_ID": "73"}, {"@CAPEC_ID": "85"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-140"}, {"@External_Reference_ID": "REF-141"}, {"@External_Reference_ID": "REF-62", "@Section": "Chapter 8, \"Eliminating Metacharacters\", Page 435"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": {"@Type": "Relationship", "xhtml:p": "Multiple interpretation errors can indirectly introduce inputs that should be disallowed. For example, a list of dangerous shell metacharacters might not include a metacharacter that only has meaning in one particular shell, not all of them; or a check for XSS manipulations might ignore an unusual construct that is supported by one web browser, but not others."}}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Sean Eidemiller", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "added/updated demonstrative examples"}, {"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Potential_Mitigations, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Detection_Factors, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-11-24", "Modification_Version": "1.1", "Modification_ReleaseDate": "2008-11-25", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-05-27", "Modification_Version": "1.4", "Modification_ReleaseDate": "2009-05-27", "Modification_Comment": "updated Description, Other_Notes, Relationship_Notes, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-02-16", "Modification_Version": "1.8", "Modification_ReleaseDate": "2010-02-16", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-04-05", "Modification_Version": "1.8.1", "Modification_ReleaseDate": "2010-04-05", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-06-21", "Modification_Version": "1.9", "Modification_ReleaseDate": "2010-06-21", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated References, Related_Attack_Patterns, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2013-02-21", "Modification_Version": "2.4", "Modification_ReleaseDate": "2013-02-21", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Demonstrative_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2015-12-07", "Modification_Version": "2.9", "Modification_ReleaseDate": "2015-12-07", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-05-03", "Modification_Version": "2.11", "Modification_ReleaseDate": "2017-05-05", "Modification_Comment": "updated Potential_Mitigations, Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2018-03-27", "Modification_Version": "3.1", "Modification_ReleaseDate": "2018-03-27", "Modification_Comment": "updated Observed_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-01-03", "Modification_Version": "3.2", "Modification_ReleaseDate": "2019-01-03", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Related_Attack_Patterns, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Alternate_Terms, Description, Detection_Factors, Modes_of_Introduction, Name, Observed_Examples, Potential_Mitigations, Relationship_Notes, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-06-25", "Modification_Version": "4.1", "Modification_ReleaseDate": "2020-06-25", "Modification_Comment": "updated Alternate_Terms, Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2024-07-16", "Modification_Version": "4.15", "Modification_ReleaseDate": "2024-07-16", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2024-11-19", "Modification_Version": "4.16", "Modification_ReleaseDate": "2024-11-19", "Modification_Comment": "updated Common_Consequences, Description, Diagram, Modes_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples"}], "Previous_Entry_Name": {"@Date": "2020-02-24", "#text": "Incomplete Blacklist"}}}
