Incomplete Denylist to Cross-Site Scripting

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.


While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The "XSS Cheat Sheet" [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists.

See Also

Comprehensive Categorization: Injection

Weaknesses in this category are related to injection.

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Named Chains

This view displays Named Chains and their components.

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.