CWE-184 (Incomplete List of Disallowed Inputs) is a common software weakness type identified by the CWE (Common Weakness Enumeration) dictionary. It helps developers understand security flaws and how to mitigate them.

What is the difference between CVE and CWE?

CWE refers to the type of software weakness (the root cause), while CVE refers to a specific instance of a vulnerability in a particular product or system.

CWE-184

Incomplete List of Disallowed Inputs

Weakness Description

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

Potential Mitigations

Implementation

Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

Common Consequences

Access Control

Bypass Protection Mechanism

Attackers may be able to find other malicious inputs that were not expected by the developer, allowing them to bypass the intended protection mechanism.

Detection Methods

Black Box

Exploitation of a vulnerability with commonly-used manipulations might fail, but minor variations might succeed.

Related Weaknesses

CWE-693 CWE-1023 CWE-79 CWE-78 CWE-434 CWE-98

Related Resources

Browse CWE Database

Explore 493 software weaknesses

CVE Database

Search 294,000+ vulnerabilities

Security Writeups

Learn from real-world examples

About 4nuxd

Cybersecurity research & tools

Contact Us

Get in touch for collaboration

Homepage

Explore more security resources