The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

are effective in defeating many applications’ defenses against common input-

based vulnerabilities.

Avoiding problems with multistep validation and canonicalization can

sometimes be difficult, and there is no single solution to the problem. One

approach is to perform sanitization steps recursively, continuing until no fur-

ther modifications have been made on an item of input. However, where the

desired sanitization involves escaping a problematic character, this may result

in an infinite loop. Often, the problem can only be addressed on a case-by-case

basis, based upon the types of validation being performed. Where feasible, it

may be preferable to avoid attempting to clean some kinds of bad input, and

simply reject it altogether.