nerdexam
EC-Council

312-50V11 · Question #585

While performing data validation of web content, a security technician is required to restrict malicious input. Which of the following processes is an efficient way of restricting malicious input?

The correct answer is C. Validate web content input for type, length, and range.. Validating input for type, length, and range is the standard whitelist-based approach that systematically blocks malicious payloads before they can be processed by the application.

Hacking Web Applications

Question

While performing data validation of web content, a security technician is required to restrict malicious input. Which of the following processes is an efficient way of restricting malicious input?

Options

  • AValidate web content input for query strings.
  • BValidate web content input with scanning tools.
  • CValidate web content input for type, length, and range.
  • DValidate web content input for extraneous queries.

How the community answered

(47 responses)
  • A
    4% (2)
  • B
    4% (2)
  • C
    79% (37)
  • D
    13% (6)

Why each option

Validating input for type, length, and range is the standard whitelist-based approach that systematically blocks malicious payloads before they can be processed by the application.

AValidate web content input for query strings.

Validating only query strings covers just one input vector and ignores malicious data delivered through POST bodies, HTTP headers, cookies, and other channels.

BValidate web content input with scanning tools.

Scanning tools perform external vulnerability assessments against the application and do not provide real-time runtime input validation within the application logic itself.

CValidate web content input for type, length, and range.Correct

Checking that input matches the expected data type (e.g., integer not arbitrary string), does not exceed a defined maximum length (preventing buffer overflow and oversized-payload attacks), and falls within an acceptable value range implements the core input validation principle recommended by OWASP. This approach blocks SQL injection, command injection, overflow, and many other injection-class vulnerabilities at the application's trust boundary, regardless of the delivery channel used by the attacker.

DValidate web content input for extraneous queries.

Filtering for 'extraneous queries' is vague and does not systematically address type mismatches, oversized payloads, or out-of-range values that constitute the bulk of malicious input.

Concept tested: Input validation - type, length, and range checking

Source: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html

Topics

#input validation#web security#data sanitization#secure coding

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice