Corgea LogoCorgea Security Hub

CWE-184: Incomplete List of Disallowed Inputs

Learn about CWE-184 (Incomplete List of Disallowed Inputs), its security impact, exploitation methods, and prevention guidelines.

What is Incomplete List of Disallowed Inputs?

• Overview: An Incomplete List of Disallowed Inputs vulnerability occurs when a software application uses a blacklist to block or neutralize certain inputs, but the list is not comprehensive, allowing some harmful inputs to bypass security measures.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by using inputs that are not on the blacklist, potentially leading to unauthorized access or other malicious activities.
  • Common attack patterns include injecting unexpected data types, exploiting edge cases, or using crafted inputs that evade the disallowed list.

• Security Impact:

  • Direct consequences of successful exploitation include unauthorized data manipulation, exposure of sensitive information, or execution of unintended commands.
  • Potential cascading effects might involve further system compromise, spreading malware, or creating backdoors for future attacks.
  • Business impact can include data breaches, loss of customer trust, legal penalties, and financial losses.

• Prevention Guidelines:

  • Specific code-level fixes involve using whitelists (allow lists) instead of blacklists, ensuring all inputs are validated against known safe criteria.
  • Security best practices include employing input validation libraries, implementing comprehensive input sanitation, and regularly updating disallowed lists.
  • Recommended tools and frameworks include using security-focused libraries and frameworks that handle input validation, such as OWASP's ESAPI, and integrating static and dynamic analysis tools to identify incomplete blacklists.
Corgea can automatically detect and fix Incomplete List of Disallowed Inputs in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

JavaScript Example

// This function attempts to prevent certain dangerous inputs by disallowing specific strings
function isValidInput(input) {
    // Vulnerable: Relies on an incomplete list of disallowed inputs
    const disallowedInputs = ['<script>', 'SELECT * FROM', 'DROP TABLE'];
    
    // Check if input contains any disallowed phrases
    for (let disallowed of disallowedInputs) {
        if (input.includes(disallowed)) {
            return false; // Input is considered invalid
        }
    }
    return true; // Input is considered valid
}

// Example usage
console.log(isValidInput("<script>alert('XSS')</script>")); // false, blocked correctly
console.log(isValidInput("SELECT name FROM users")); // true, should be false

Explanation

  • Vulnerability: This code snippet demonstrates an incomplete list of disallowed inputs. It attempts to block potentially harmful inputs by checking against a predefined list of dangerous strings. However, this approach is flawed because it's impossible to anticipate all possible dangerous inputs or variations (e.g., different SQL commands or script tags). Inputs like "SELECT name FROM users" are not blocked, even though they could be dangerous.

How to fix Incomplete List of Disallowed Inputs?

  • Principle: Instead of relying on a disallowed list, use a positive validation approach. Define a list of allowed patterns or input types that are explicitly considered safe.
  • Sanitization: Apply input sanitization and encoding to neutralize harmful content.
  • Use Libraries: Leverage well-known libraries designed for input validation and sanitization to handle complex cases and edge scenarios effectively.

Fixed Code Example

JavaScript Example

// A function that uses a whitelist approach for input validation
function isValidInput(input) {
    // Allow only alphanumeric characters and basic punctuation
    const allowedPattern = /^[a-zA-Z0-9\s,.!?]*\$/;
    
    // Validate input against the allowed pattern
    if (!allowedPattern.test(input)) {
        return false; // Input contains disallowed characters
    }
    
    // Additional sanitization can be done here
    return true; // Input is considered valid
}

// Example usage
console.log(isValidInput("<script>alert('XSS')</script>")); // false, blocked correctly
console.log(isValidInput("SELECT name FROM users")); // false, blocked correctly
console.log(isValidInput("Hello, world!")); // true, allowed input

Explanation

  • Fixed Approach: The fixed code uses a whitelist pattern to define what is considered valid input. In this case, it only allows alphanumeric characters and basic punctuation. This ensures that only expected and safe inputs are processed.
  • Benefits: By defining what is allowed rather than what is not, we reduce the risk of missing potentially dangerous inputs. This approach is more robust and easier to maintain.
  • Sanitization: Additional sanitization and encoding should be applied based on the context where the input will be used (e.g., HTML encoding to prevent XSS when rendering outputs on a webpage).
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-184: Incomplete List of Disallowed Inputs and get remediation guidance

Start for free and no credit card needed.