Corgea LogoCorgea Security Hub

CWE-692: Incomplete Denylist to Cross-Site Scripting

Learn about CWE-692 (Incomplete Denylist to Cross-Site Scripting), its security impact, exploitation methods, and prevention guidelines.

What is Incomplete Denylist to Cross-Site Scripting?

• Overview: This vulnerability occurs when a software product uses a denylist (also known as a blacklist) to prevent cross-site scripting (XSS) attacks, but the denylist is not comprehensive, allowing attackers to bypass it and execute malicious scripts.

• Exploitation Methods:

  • Attackers can craft inputs that are not included in the denylist, thus bypassing the protection and executing scripts in the victim's browser.
  • Common techniques include using different encodings, obfuscations, or exploiting browser-specific parsing quirks to deliver malicious scripts.

• Security Impact:

  • Direct consequences include unauthorized execution of scripts, which can lead to data theft, session hijacking, or defacement of web pages.
  • Potential cascading effects might involve an attacker gaining further access to user accounts or sensitive information within the application.
  • The business impact could involve loss of customer trust, legal liabilities, and financial costs associated with breach mitigation and recovery efforts.

• Prevention Guidelines:

  • Instead of relying on denylist-based filtering, implement allowlist (whitelist) approaches where only known safe inputs are permitted.
  • Apply proper output encoding for all user-generated content, especially when it is rendered in a browser context.
  • Use security libraries and frameworks that provide built-in XSS protection, such as the Content Security Policy (CSP) and frameworks like OWASP's AntiSamy.
  • Regularly update and test web applications against known XSS attack patterns, utilizing tools like static analysis software and vulnerability scanners.
Corgea can automatically detect and fix Incomplete Denylist to Cross-Site Scripting in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

JavaScript Example

// This function attempts to sanitize input by using a denylist approach.
// It removes specific unwanted script tags, but it's incomplete and can be bypassed.
function sanitizeUserInput(input) {
    // Attempt to remove script tags - an incomplete denylist approach
    return input.replace(/<script.*?>.*?<\/script>/gi, ""); 
}

function displayUserComment(comment) {
    // Vulnerable to XSS if input is not properly sanitized
    document.getElementById('comments').innerHTML = sanitizeUserInput(comment); 
}

// Example usage
let userComment = "<img src=x onerror=alert('XSS')>"; // Malicious input
displayUserComment(userComment);

Explanation

The above code attempts to sanitize user input by removing <script> tags using a regular expression. However, this approach is incomplete and can be easily bypassed by attackers using other HTML elements with event handlers (e.g., <img onerror>), or by using different variations of script tags. This makes the application vulnerable to Cross-Site Scripting (XSS) attacks.

How to fix Incomplete Denylist to Cross-Site Scripting?

To properly fix this vulnerability, avoid using denylist-based sanitization. Instead:

  1. Use a robust library for HTML escaping or sanitization that covers all potential attack vectors.
  2. Apply Content Security Policies (CSP) for an additional layer of defense.

A popular library for JavaScript is DOMPurify, which effectively sanitizes HTML by removing dangerous elements and attributes.

Fixed Code Example

// Import the DOMPurify library for safe HTML sanitization
import DOMPurify from 'dompurify';

function sanitizeUserInput(input) {
    // Use DOMPurify to sanitize input properly
    return DOMPurify.sanitize(input); 
}

function displayUserComment(comment) {
    // Properly sanitized input using DOMPurify
    document.getElementById('comments').innerHTML = sanitizeUserInput(comment); 
}

// Example usage
let userComment = "<img src=x onerror=alert('XSS')>"; // Malicious input
displayUserComment(userComment);

Explanation

In this fixed example, we replaced the denylist approach with DOMPurify, a library known for effectively cleaning HTML content by removing potentially dangerous elements and attributes. This ensures that all forms of XSS payloads are neutralized, not just those using <script> tags. Always use trusted and well-maintained libraries for security-critical tasks like sanitizing user input. Additionally, consider applying a Content Security Policy (CSP) to further mitigate XSS risks.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-692: Incomplete Denylist to Cross-Site Scripting and get remediation guidance

Start for free and no credit card needed.