Whitelist validation (also known as allowlist validation) is a robust defensive strategy where only pre-approved input formats are accepted. This includes:
Restricting input to specific data types (e.g., integer, string)
Limiting size, format, or allowed characters
Accepting only expected values (e.g., country codes, age ranges)
This practice is highly effective in mitigating SQL injection and other input-based attacks.
Incorrect Options:
A. Output encoding prevents XSS by encoding output but doesn't validate input.
B. Enforcing least privilege is an access control principle.
D. Blacklist validation is less secure and attempts to block known bad inputs, which may be bypassed.
Reference – CEH v13 Official Courseware:
Module 14: Hacking Web Applications
Section: “Input Validation and SQL Injection Mitigation”
Subsection: “Whitelist vs Blacklist Input Validation”
===========
Submit