This would enable us to let “only known good” characters into the application.
Using regular expressions is a common method of restricting input character types.
Input can be encoded to a format that can still be interpreted correctly by the application but may not be an obvious avenue of attack.
The encoding of ASCII to Unicode is another method of bypassing input validation.
Without data validation the attacker can inject Meta characters, malicious commands, or command modifiers, masquerading, as legitimate information and the web application will blindly pass these on to the external system for execution.
Checking for minimum and maximum length is of paramount importance, even if the code base is not vulnerable to buffer overflow attacks.
This configuration file contains error messages among other things. If the input is limited by length this reduces the size of the script that can be injected into the web app.
The application responds correctly and recognises all possible representations of invalid characters.
Example: The ASCII: Unicode Encoded: <script> The OWASP Guide 2.1 delves much more into this subject.
There are a number of models to think about when designing a data validation strategy, which are listed from the strongest to the weakest as follows.
In addition there must be a check for maximum length of any input received from an external source, such as a downstream service/computer or a user at a web browser.
This type of attack can be used to recycle to log file, hence removing the audit trail.