A blocklist (also known as a blacklist or denylist) is a security approach that explicitly defines which entities are prohibited. Unlike an allowlist, which permits only approved items and blocks everything else, a blocklist permits everything except the items on the list. This "default allow" philosophy is inherently less secure because it requires anticipating every possible threat.
How It Works
Blocklists are used across many security domains. Network firewalls maintain blocklists of known malicious IP addresses. Email systems blocklist known spam senders. Web application firewalls blocklist known attack patterns in HTTP requests. Input validation routines blocklist dangerous characters or strings that could enable injection attacks.
The implementation typically involves checking incoming data against a list of prohibited values. If a match is found, the request is denied. If no match is found, the request is allowed to proceed. This check can occur at the network level, application level, or both. Regular expressions are commonly used to define blocklist patterns for input validation.
The fundamental weakness of blocklisting is that it cannot anticipate every possible malicious input. Attackers constantly develop new bypass techniques using encoding variations, unicode characters, null bytes, case manipulation, and other transformations to evade blocklist filters. For example, a blocklist that blocks the string <script> can be bypassed with <ScRiPt>, <script%20>, <scr\x00ipt>, or dozens of other variations. Each bypass that is discovered and added to the blocklist can often be circumvented by yet another variation.
Why It Matters
Security assessments frequently target blocklist-based defenses because they are reliably bypassable. When applications rely solely on blocklists for protection against injection attacks or access control, testers will systematically probe for encoding tricks, edge cases, and variations that the blocklist does not cover. The consistent recommendation is to use allowlist-based validation wherever possible and treat blocklists only as a supplementary defense layer.
Need your application tested? Get in touch.