It’s not uncommon to find websites that attempt to validate user input and block code injection attacks using a blacklist of dangerous characters or keywords. Superficially, this might seem like a common-sense way to protect a website with minimum effort but it can prove to be extremely difficult to comprehensively defend against every attack in this manner, especially in comparison to a whitelist-based approach.
The flexibility and number of scripting languages to be defended against can result in a false sense of security for an organisation that has implemented a blacklist-based approach. It can also cause a heavy workload for any developers tasked with maintaining and improving such a solution.
The whitepaper below discusses a range of input validation bypass techniques for sites implementing blacklist-based validation and provides a case for implementing a whitelist-based approach.
