GCIH · Question #419
What is the best approach to successfully filter out potentially harmful characters from user input?
The correct answer is D. Define what is acceptable and filter out everything else.. Input validation is most effective when using an allowlist approach - defining what is acceptable and rejecting everything else, rather than trying to enumerate all harmful inputs.
Question
What is the best approach to successfully filter out potentially harmful characters from user input?
Options
- APerform input validation at the client program as the input is being provided.
- BInclude stringent content filtering at each firewall and proxy server.
- CDefine and filter out what is unacceptable, then allow everything else.
- DDefine what is acceptable and filter out everything else.
How the community answered
(39 responses)- A3% (1)
- B3% (1)
- C8% (3)
- D87% (34)
Why each option
Input validation is most effective when using an allowlist approach - defining what is acceptable and rejecting everything else, rather than trying to enumerate all harmful inputs.
Client-side validation is easily bypassed by an attacker using a proxy or by disabling JavaScript, providing no real security guarantee.
Firewalls and proxies operate at the network layer and cannot reliably perform context-aware input validation for application-specific fields.
Defining and filtering out unacceptable characters (denylisting) is inherently incomplete because new attack vectors, encoding schemes, and character combinations can bypass a fixed blocklist.
Allowlisting (defining acceptable input and rejecting everything else) is the strongest approach because attackers constantly discover new malicious character combinations and encoding tricks. A denylist can never be exhaustive, but an allowlist restricts input to only known-safe values. This approach is recommended by OWASP as the primary defense against injection attacks.
Concept tested: Input validation allowlist vs denylist strategy
Source: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
Topics
Community Discussion
No community discussion yet for this question.