102 vulnerabilities classified as CWE-184 (不完整的黑名单). AI Chinese analysis included.
CWE-184 represents a critical input validation weakness where an application relies on a blacklist of prohibited inputs that fails to cover all malicious variations. This approach is inherently fragile because attackers can easily bypass incomplete lists using encoding techniques, alternative syntax, or edge cases not anticipated by the developer. Exploitation typically occurs when an adversary submits crafted payloads that evade the restricted set, allowing unauthorized commands, code execution, or data injection to proceed unchecked. To mitigate this risk, developers should abandon blacklisting in favor of whitelisting, which permits only explicitly verified and safe inputs. Additionally, implementing robust input sanitization and normalization processes ensures that diverse attack vectors are neutralized before processing, thereby closing the gaps left by incomplete disallowed lists and significantly strengthening the application’s security posture against injection-based threats.
public String removeScriptTags(String input, String mask) { return input.replaceAll("script", mask); }sub GetUntrustedInput { return($ARGV[0]); } sub encode { my($str) = @_; $str =~ s/\&/\&/gs; $str =~ s/\"/\"/gs; $str =~ s/\'/\'/gs; $str =~ s/\</\</gs; $str =~ s/\>/\>/gs; return($str); } sub doit { my $uname = encode(GetUntrustedInput("username")); print "<b>Welcome, $uname!</b><p>\n"; system("cd /home/$uname; /bin/ls -l"); }' pwdVulnerabilities classified as CWE-184 (不完整的黑名单) represent 102 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.