Question 1 - CertNexus ITS-110 Real Exam Questions [Jan 2026 Update]

Q: 1

A web administrator is concerned about injection attacks. Which of the following mitigation techniques should the web administrator implement?

Options

Correct Answer:

Explanation

Injection attacks, such as SQL injection or Cross-Site Scripting (XSS), occur when an attacker sends malicious data to an application, which is then processed or executed. The most effective mitigation technique is parameter validation, also known as input validation. This practice involves rigorously checking all data received from a user or external source to ensure it conforms to strict rules for type, length, format, and content. By validating that input is safe and expected before it is used, the application can reject malicious payloads, preventing them from being interpreted as commands or executable code by a backend system.

Why Incorrect

A. Configure single sign-on (SSO): This is an authentication mechanism that improves user experience but does not inspect or sanitize the content of user input to prevent injection attacks.

C. Require strong passwords: This is an authentication control measure that makes user accounts harder to compromise through guessing or brute force, but it is unrelated to validating application input.

D. Require two-factor authentication (2FA): This enhances authentication security by requiring a second verification factor, but it does not protect the application from malicious input submitted by an authenticated user.

References

1. OWASP Foundation. (2021). OWASP Top 10:2021. A03:2021-Injection. In the "How to Prevent" section

the primary recommendation is to "Use a safe API

which avoids using the interpreter entirely or provides a parameterized interface

" followed by server-side input validation. This directly supports parameter validation as a key defense. Retrieved from https://owasp.org/Top10/A032021-Injection/

2. Zeldovich

& Kaashoek

F. (2014). 6.858 Computer Systems Security

Fall 2014. MIT OpenCourseWare. Lecture 15: Web Security

Slides 20-23. The lecture explicitly identifies "Check user input" (input validation) and using "prepared statements" (a form of parameterization) as the primary defenses against SQL injection attacks.

3. Scarfone

Souppaya

& Cody

A. (2007). Guide to Secure Web Services (NIST Special Publication 800-95). National Institute of Standards and Technology. Section 5.3

"Input Validation

" states

"Input validation should be performed to ensure that all input is well-formed and trustworthy... This is a defense against many types of attacks

including... SQL injection." (p. 5-4). DOI: https://doi.org/10.6028/NIST.SP.800-95

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE