One of the first widespread security vulnerabilities I had to deal with was this one:

https://www.giac.org/paper/gcih/115/iis-unicode-exploit/1011...

You could basically encode DOS commands in the URL bar for a site running IIS and it would run remotely.

The automated attack basically replaced the index.html pages. But if you didn’t use the default pages. It didn’t have any effect.