312-50V10 · Question #585
While performing data validation of web content, a security technician is required to restrict malicious input. Which of the following processes is an efficient way of restricting malicious input?
The correct answer is C. Validate web content input for type, length, and range.. Effective input validation restricts malicious input by checking data for correct type, acceptable length, and valid range, blocking the most common injection and overflow attack vectors.
Question
While performing data validation of web content, a security technician is required to restrict malicious input. Which of the following processes is an efficient way of restricting malicious input?
Options
- AValidate web content input for query strings.
- BValidate web content input with scanning tools.
- CValidate web content input for type, length, and range.
- DValidate web content input for extraneous queries.
How the community answered
(36 responses)- A6% (2)
- B3% (1)
- C89% (32)
- D3% (1)
Why each option
Effective input validation restricts malicious input by checking data for correct type, acceptable length, and valid range, blocking the most common injection and overflow attack vectors.
Validating only query strings is too narrow and leaves all other input vectors (form fields, headers, cookies) unprotected against malicious input.
Scanning tools are used for detection and analysis after the fact, not for enforcing input constraints at the point of data entry.
Validating for type ensures data matches the expected format (e.g., integer vs. string), validating for length prevents buffer overflow and excessively large payload attacks, and validating for range ensures values fall within acceptable boundaries. Together these three checks address the root causes of SQL injection, XSS, and buffer overflow vulnerabilities at the input boundary. This is the industry-standard approach defined by OWASP for secure input handling.
Validating for 'extraneous queries' is not a defined or comprehensive validation method and does not systematically address known attack classes like injection or overflow.
Concept tested: Input validation - type, length, and range enforcement
Source: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
Topics
Community Discussion
No community discussion yet for this question.