When building a customer-facing web application, what approach to input validation should be implemented to MOST EFFECTIVELY mitigate injection attacks?
Enforcing data type constraints and requiring inputs to match the expected data types
Relying on a blocklist input validation to exclude known dangerous characters and patterns
Using cryptographic hashing of all inputs to avoid storing or processing plaintext input data
Implementing a allowlist input validation mechanism that accepts only specified inputs
Utilizing a allowlist input validation approach serves as the most effective mitigation technique against injection attacks because it permits only known safe inputs, based on a predefined set of criteria, to be processed by the application. This control is strict by nature and denies all input that does not strictly conform to the expected and validated format. On the contrary, relying on a blocklist input validation approach or solely relying on cryptographic hashing functions might not fully prevent injection attacks, as blocklists cannot anticipate all possible malicious inputs and hashing functions do not actually validate input but rather ensure data integrity post-submission. While data type enforcement is a good practice, on its own, it may not be sufficient to prevent the diversity of injection attacks.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is allowlist input validation?
Open an interactive chat with Bash
What are injection attacks, and why are they dangerous?
Open an interactive chat with Bash
What is the difference between allowlist and blocklist validation?