CompTIA Security Plus Mock Test Q739

Which of the following is true about input validation in a client-server architecture, when data integrity is critical to the organization?

A. It should be enforced on the client side only.
B. It must be protected by SSL encryption.
C. It must rely on the user’s knowledge of the application.
D. It should be performed on the server side.


Correct Answer: D
Section: Application, Data and Host Security

Explanation:
Client-side validation should only be used to improve user experience, never for security purposes. A client-side input validation check can improve application performance by
catching malformed input on the client and, therefore, saving a roundtrip to the server. However, client side validation can be easily bypassed and should never be used for security
purposes. Always use server-side validation to protect your application from malicious attacks.

Incorrect Answers:
A: Client side validation is recommended to improve the user experience. However, it can be easily bypassed and should never be used for security purposes.
B: SSL encryption is used for sending data securely between a client and a server. However, it is not used for input validation.
C: Input validation must NOT rely on the user’s knowledge of the application. If fact, it should assume a lack of knowledge on the user’s part.

References:
http://web.securityinnovation.com/appsec-weekly/blog/bid/67936/Do-Not-Rely-on-Client-Side-Validation