Certified Ethical Hacker (CEH v11) — Question 284

CyberTech Inc. recently experienced SQL injection attacks on its official website. The company appointed Bob, a security professional, to build and incorporate defensive strategies against such attacks. Bob adopted a practice whereby only a list of entities such as the data type, range, size, and value, which have been approved for secured access, is accepted.
What is the defensive technique employed by Bob in the above scenario?

Answer options

• A. Whitelist validation
• B. Output encoding
• C. Blacklist validation
• D. Enforce least privileges

Correct answer: A

Explanation

The correct answer, Whitelist validation, involves only allowing specific, pre-defined values for input, which effectively prevents SQL injection by rejecting anything not on the list. Output encoding does not prevent input attacks but rather secures output data. Blacklist validation attempts to block known bad inputs but can be bypassed, while enforcing least privileges pertains to user permissions, not input validation.