CWE - CWE-692: Incomplete Denylist to Cross-Site Scripting (4.18)

Home > CWE List > CWE-692: Incomplete Denylist to Cross-Site Scripting (4.18)

CWE Glossary Definition

CWE-692: Incomplete Denylist to Cross-Site Scripting

Weakness ID: 692 (Structure: Chain) Chain - a Compound Element that is a sequence of two or more separate weaknesses that can be closely linked together within software. One weakness, X, can directly create the conditions that are necessary to cause another weakness, Y, to enter a vulnerable condition. When this happens, CWE refers to X as "primary" to Y, and Y is "resultant" from X. Chains can involve more than two weaknesses, and in some cases, they might have a tree-like structure.

Vulnerability Mapping: DISCOURAGED This CWE ID should not be used to map to real-world vulnerabilities

View customized information:

For users who are interested in more notional aspects of a weakness. Example: educators, technical writers, and project/program managers. For users who are concerned with the practical application and details about the nature of a weakness and how to prevent it from happening. Example: tool developers, security researchers, pen-testers, incident response analysts. For users who are mapping an issue to CWE/CAPEC IDs, i.e., finding the most appropriate CWE for a specific issue (e.g., a CVE record). Example: tool developers, security researchers. For users who wish to see all available information for the CWE/CAPEC entry. For users who want to customize what details are displayed.

Edit Custom Filter

Description

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

Extended Description

While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The "XSS Cheat Sheet" [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists.

Common Consequences

Section HelpThis table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Impact	Details
Execute Unauthorized Code or Commands	Scope: Confidentiality, Integrity, Availability

Chain Components

Nature	Type	ID	Name
StartsWith	BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	184	Incomplete List of Disallowed Inputs
FollowedBy	BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Relationships

Section Help This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

Relevant to the view "Research Concepts" (View-1000)

Nature	Type	ID	Name
ChildOf	Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	184	Incomplete List of Disallowed Inputs

Applicable Platforms

Section HelpThis listing shows possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.

Languages

Class: Not Language-Specific (Undetermined Prevalence)

Selected Observed Examples

Note: this is a curated list of examples for users to understand the variety of ways in which this weakness can be introduced. It is not a complete list of all CVEs that are related to this CWE entry.

Reference	Description
CVE-2007-5727	Denylist only removes <SCRIPT> tag.
CVE-2006-3617	Denylist only removes <SCRIPT> tag.
CVE-2006-4308	Denylist only checks "javascript:" tag

Memberships

Section HelpThis MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.

Nature	Type	ID	Name
MemberOf	CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.	1409	Comprehensive Categorization: Injection

Vulnerability Mapping Notes

Usage DISCOURAGED

(this CWE ID should not be used to map to real-world vulnerabilities)

Reason Other

Rationale

This CWE entry is a named chain, which combines multiple weaknesses.

Comments

Mapping to each separate weakness in the chain would be more precise.

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-120	Double Encoding
CAPEC-267	Leverage Alternate Encoding
CAPEC-71	Using Unicode Encoding to Bypass Validation Logic
CAPEC-80	Using UTF-8 Encoding to Bypass Validation Logic
CAPEC-85	AJAX Footprinting

References

[REF-714] RSnake. "XSS (Cross Site Scripting) Cheat Sheet".
<http://ha.ckers.org/xss.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2008年04月11日 (CWE Draft 9, 2008年04月11日)	CWE Content Team	MITRE
2008年04月11日 (CWE Draft 9, 2008年04月11日)
Modifications
Modification Date	Modifier	Organization
2023年06月29日	CWE Content Team	MITRE
2023年06月29日	updated Mapping_Notes, Relationships
2023年04月27日	CWE Content Team	MITRE
2023年04月27日	updated Relationships
2020年06月25日	CWE Content Team	MITRE
2020年06月25日	updated Description, Name, Observed_Examples, References
2019年01月03日	CWE Content Team	MITRE
2019年01月03日	updated Related_Attack_Patterns
2017年11月08日	CWE Content Team	MITRE
2017年11月08日	updated Relationships, Relevant_Properties
2017年05月03日	CWE Content Team	MITRE
2017年05月03日	updated Related_Attack_Patterns
2017年01月19日	CWE Content Team	MITRE
2017年01月19日	updated Relationships
2014年06月23日	CWE Content Team	MITRE
2014年06月23日	updated Applicable_Platforms, Description, Other_Notes
2012年05月11日	CWE Content Team	MITRE
2012年05月11日	updated Related_Attack_Patterns
2011年06月01日	CWE Content Team	MITRE
2011年06月01日	updated Common_Consequences
2009年03月10日	CWE Content Team	MITRE
2009年03月10日	updated Related_Attack_Patterns
2008年10月14日	CWE Content Team	MITRE
2008年10月14日	updated Applicable_Platforms
2008年09月24日	CWE Content Team	MITRE
2008年09月24日	added Language_Class "All"
2008年09月08日	CWE Content Team	MITRE
2008年09月08日	updated Applicable_Platforms, Relationships, Other_Notes
2008年07月01日	Eric Dalci	Cigital
2008年07月01日	updated Time_of_Introduction
Previous Entry Names
Change Date	Previous Entry Name
2020年02月26日	Incomplete Blacklist to Cross-Site Scripting

More information is available — Please edit the custom filter or select a different filter.

Page Last Updated: September 09, 2025

MITRE

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

HSSEDI