The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

There are various broad approaches that are commonly taken to the problem

of handling user input. Different approaches are often preferable for different

situations and different types of input, and a combination of approaches may

sometimes be desirable.

“Reject Known Bad”

This approach typically employs a blacklist containing a set of literal strings or

patterns that are known to be used in attacks. The validation mechanism

blocks any data that matches the blacklist and allows everything else.

In general, this is regarded as the least effective approach to validating user

input, for two main reasons. First, a typical vulnerability in a web application

can be exploited using a wide variety of different input, which may be

encoded or represented in various different ways. Except in the simplest of

cases, it is likely that a blacklist will omit some patterns of input that can be

used to attack the application. Second, techniques for exploitation are con-

stantly evolving. Novel methods for exploiting existing categories of vulnera-

bility are unlikely to be blocked by current blacklists.