Black and white lists
Lists are used to avoid input validation errors during application development. These lists are divided into two main groups:
- Blacklist: A group of strings that are blocked by the application, in order to avoid being entered by the user. For example, they can be used to avoid the most common testing strings, such as
'1
,1==1--
, or<script>alert(1)</script>
. - Whitelist: The application allows data that follows a certain structure. For example, consider an application that has a registration form, and it is waiting for the user to enter an email address. A developer blocks an invalid email address using a blacklist. This is done by creating regular expressions in the application to accept any email address. But this value needs to have the usual email address structure, which means, it needs to have an
@
character, a user, domain, and so on.
Mixing blacklists and whitelists works very well for most input-validation scenarios, but in open redirects, it...