Usually when developers know what data must be transmitted, for example, when an application must process data from a user that it is always the same, like the username and password character fields that limit what the user can write, forcing the user to use at least a specific amount of characters (usually eight), and blocking him or her of surpassing the giving limit (usually sixteen). Ensuring that all data of the protocols are of a fixed length therefore limiting the number of vulnerabilities that an application may have in the future. Unfortunately, this is not implemented in applications as frequently as it should, many only adopt the credentials restriction, but, it also needs to be present in other aspects of an app application depending on how much “freedom” it gives to the end-user.
If the developers come to implement this, there are certain ways in which protocols handle the limitation. I will show three of them length-prefixed data, terminated data, and padded data.
1- Length-prefixed data:
If you know the data length in advance you can insert it directly into the protocol, you insert a specific value (for example seven is 0x07 in hex) at the beginning of a word in this example I will adopt the word “android” which has respectively 7 letters. The data would be parsed like.
0x007 | a | n | d | r | o| i | d
instead of the letters it would send the hex format of each one of them but for the sake of simplicity the only hex here is the number of letters which you specify. Remember you have inserted the number so if the person somehow try to send a different word like AAAA the package would be dropped.
2- Implicit-Length Date:
Terminated data has a terminal symbol defined that tells the data parser that the end of the data value has been reached, the value can be anything but it is usually considered as a NULL byte (0x00) . So if you send the word “android” it will be send as:
| a | n | d | r | o| i | d | 0x00 (protocol is using the NULL by as the terminating character
3- Padded data:
This method is used whenever there is a fixed value that the server is expecting to be send. The protocol then takes the unused data and fills it up with a character (we will use a * as the padding, but remember that any character can be used). So if want to send the word android but the server is expecting 16 bits, the data will be send like:
| a | n | d | r | o| i | d | * | * | * | * | * | * | * | * | * |
There are other methods, but this explanation was only made for you to have some notion on how we can use protocols to restrict data send to the server.
Hope I have helped you somehow, as always have a wonderful day 🙂