CWE-184 不完整的黑名单
Incomplete Blacklist
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: unkown
基本描述
An application uses a "blacklist" of prohibited values, but the blacklist is incomplete.
扩展描述
If an incomplete blacklist is used as a security mechanism, then the software may allow unintended values to pass into the application logic.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 693 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 1023 cwe_View_ID: 1000
-
cwe_Nature: CanPrecede cwe_CWE_ID: 79 cwe_View_ID: 1000 cwe_Chain_ID: 692
-
cwe_Nature: CanPrecede cwe_CWE_ID: 78 cwe_View_ID: 1000
-
cwe_Nature: CanPrecede cwe_CWE_ID: 434 cwe_View_ID: 1000
-
cwe_Nature: CanPrecede cwe_CWE_ID: 98 cwe_View_ID: 1000
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Access Control | Bypass Protection Mechanism |
检测方法
Black Box
可能的缓解方案
Implementation
策略: Input Validation
Combine use of blacklist with appropriate use of whitelists.
Implementation
策略: Input Validation
Do not rely exclusively on blacklist validation to detect malicious input or to encode output. There are too many variants to encode a character; you're likely to miss some variants.
示例代码
例
The following code attempts to stop XSS attacks by removing all occurences of "script" in an input string.
bad Java
}
Because the code only checks for the lower-case "script" string, it can be easily defeated with upper-case script tags.
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2005-2782 | PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp". | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2782 |
| CVE-2004-0542 | Programming language does not filter certain shell metacharacters in Windows environment. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0542 |
| CVE-2004-0595 | XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0595 |
| CVE-2005-3287 | Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3287 |
| CVE-2004-2351 | Resultant XSS from incomplete blacklist (only | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2351 |
| CVE-2005-2959 | Privileged program does not clear sensitive environment variables that are used by bash. Overlaps multiple interpretation error. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2959 |
| CVE-2005-1824 | SQL injection protection scheme does not quote the "" special character. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1824 |
| CVE-2005-2184 | Incomplete blacklist prevents user from automatically executing .EXE files, but allows .LNK, allowing resultant Windows symbolic link. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2184 |
| CVE-2007-1343 | product doesn't protect one dangerous variable against external modification | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1343 |
| CVE-2007-5727 | Chain: incomplete blacklist (CWE-184) only removes SCRIPT tags, enabling XSS (CWE-79) | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5727 |
| CVE-2006-4308 | Chain: incomplete blacklist (CWE-184) only checks "javascript:" tag, allowing XSS (CWE-79) using other tags | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4308 |
| CVE-2007-3572 | Chain: incomplete blacklist for OS command injection | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3572 |
| CVE-2002-0661 | "" not in blacklist for web server, allowing path traversal attacks when the server is run in Windows and other OSes. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0661 |
Notes
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | Incomplete Blacklist |
相关攻击模式
- CAPEC-120
- CAPEC-15
- CAPEC-182
- CAPEC-3
- CAPEC-43
- CAPEC-6
- CAPEC-71
- CAPEC-73
- CAPEC-85
引用
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论