CWE-184: Incomplete List of Disallowed Inputs
Official CWE-184 CWE context with Glexia analysis, remediation guidance, related CVEs, and ATT&CK context.
Glexia's Take
CWE-184: Denylist / Deny List
Incomplete List of Disallowed Inputs represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Executive Impact
- Access Control: Bypass Protection Mechanism: Attackers may be able to find other malicious inputs that were not expected by the developer, allowing them to bypass the intended protection mechanism.
Developer Pattern
CWE-184 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.
Confidence
high confidence from CWE-184, 4.20.
Official CWE Definition
CWE-184: Incomplete List of Disallowed Inputs
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Developer And Remediation Guidance
How teams prevent and detect this weakness
Causes
- The following code attempts to stop XSS attacks by removing all occurences of "script" in an input string. Because the code only checks for the lower-case "script" string, it can be easily defeated with upper-case script tags.
- This example takes user input, passes it through an encoding scheme, then lists the contents of the user's home directory based on the user name. The programmer attempts to encode dangerous characters, however the denylist for encoding is incomplete (CWE-184) and an attacker can still pass a semicolon, resulting in a chain with OS command injection (CWE-78).,Additionally, the encoding routine is used inappropriately with command execution. An attacker doesn't even need to insert their own semicolon. The attacker can instead leverage the encoding routine to provide the semicolon to separate the commands. If an attacker supplies a string of the form:,then the program will encode the apostrophe and insert the semicolon, which functions as a command separator when passed to the system function. This allows the attacker to complete the command injection.
Remediation
- Implementation: Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.
Detection
- Black Box: Exploitation of a vulnerability with commonly-used manipulations might fail, but minor variations might succeed.
Mappings
Related CVEs, CWEs, and ATT&CK context
Related CWEs
- CWE-1023: Incomplete Comparison with Missing Factors
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CWE-693: Protection Mechanism Failure
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
- CWE-186: Overly Restrictive Regular Expression
- CWE-625: Permissive Regular Expression
- CWE-692: Incomplete Denylist to Cross-Site Scripting
- CWE-692: Incomplete Denylist to Cross-Site Scripting
- CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages
ATT&CK Relevance
ATT&CK relevance is shown only when reviewed or responsibly inferred.