nerdexam
GIAC

GCIH · Question #419

What is the best approach to successfully filter out potentially harmful characters from user input?

The correct answer is D. Define what is acceptable and filter out everything else.. Input validation is most effective when using an allowlist approach - defining what is acceptable and rejecting everything else, rather than trying to enumerate all harmful inputs.

Web Application Attacks & Post-Exploitation

Question

What is the best approach to successfully filter out potentially harmful characters from user input?

Options

  • APerform input validation at the client program as the input is being provided.
  • BInclude stringent content filtering at each firewall and proxy server.
  • CDefine and filter out what is unacceptable, then allow everything else.
  • DDefine what is acceptable and filter out everything else.

How the community answered

(39 responses)
  • A
    3% (1)
  • B
    3% (1)
  • C
    8% (3)
  • D
    87% (34)

Why each option

Input validation is most effective when using an allowlist approach - defining what is acceptable and rejecting everything else, rather than trying to enumerate all harmful inputs.

APerform input validation at the client program as the input is being provided.

Client-side validation is easily bypassed by an attacker using a proxy or by disabling JavaScript, providing no real security guarantee.

BInclude stringent content filtering at each firewall and proxy server.

Firewalls and proxies operate at the network layer and cannot reliably perform context-aware input validation for application-specific fields.

CDefine and filter out what is unacceptable, then allow everything else.

Defining and filtering out unacceptable characters (denylisting) is inherently incomplete because new attack vectors, encoding schemes, and character combinations can bypass a fixed blocklist.

DDefine what is acceptable and filter out everything else.Correct

Allowlisting (defining acceptable input and rejecting everything else) is the strongest approach because attackers constantly discover new malicious character combinations and encoding tricks. A denylist can never be exhaustive, but an allowlist restricts input to only known-safe values. This approach is recommended by OWASP as the primary defense against injection attacks.

Concept tested: Input validation allowlist vs denylist strategy

Source: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html

Topics

#input validation#allowlist filtering#injection prevention

Community Discussion

No community discussion yet for this question.

Full GCIH Practice