SY0-501 · Question #341
SY0-501 Question #341: Real Exam Question with Answer & Explanation
The correct answer is C: Input validation. A security analyst discovered an information disclosure vulnerability where a web application revealed database type and SQL commands when provided with random input. Implementing input validation is the appropriate measure to prevent this vulnerability.
Question
A security analyst accesses corporate web pages and inputs random data in the forms. The response received includes the type of database used and SQL commands that the database accepts. Which of the following should the security analyst use to prevent this vulnerability?
Options
- AApplication fuzzing
- BError handling
- CInput validation
- DPointer dereference
Explanation
A security analyst discovered an information disclosure vulnerability where a web application revealed database type and SQL commands when provided with random input. Implementing input validation is the appropriate measure to prevent this vulnerability.
Common mistakes.
- A. Application fuzzing is a testing technique used by the security analyst to discover vulnerabilities, not a preventative control implemented within the application itself.
- B. While proper error handling would prevent the sensitive information from being displayed in error messages, input validation prevents the invalid input from ever causing a database error that could potentially lead to such disclosure.
- D. Pointer dereference is a programming operation related to accessing memory locations and is unrelated to preventing web application information disclosure vulnerabilities arising from user input.
Concept tested. Web application input validation for security
Reference. https://learn.microsoft.com/en-us/security/sdl/practices/validate-input
Community Discussion
No community discussion yet for this question.