A web application responds to a URL parameter with an ID that points to a sensitive resource; this is an example of which vulnerability?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the Certified Ethical Hacker Version 11 Exam with a comprehensive test featuring flashcards and multiple choice questions, each accompanied by hints and explanations to ensure a thorough understanding. Ace your ethical hacking exam with confidence!

Multiple Choice

A web application responds to a URL parameter with an ID that points to a sensitive resource; this is an example of which vulnerability?

Explanation:
Direct object references occur when a web application uses a user-supplied identifier to fetch a resource without properly enforcing authorization. In this case, the URL parameter provides an ID that points to a sensitive resource, and the app returns that resource just based on the ID. If there isn’t a strong access-control check in place, a user can alter the ID to access other users’ resources or sensitive data. The weakness is that the object reference itself is trusted to control access, rather than verifying that the requester is authorized to view the specific object. This isn’t an XML External Entity Attack, which relies on exploiting XML parsers and external entities; nor is it CRLF Injection, which targets HTTP headers through newline characters; nor is it Timeout Exploitation, which centers on performance or DoS aspects rather than direct unauthorized access to objects. The correct vulnerability category is insecure direct object references, rooted in inadequate access controls around object identifiers. To fix it, enforce authorization checks on every object retrieval, or use indirect references (opaque tokens) that map to objects only after proper authorization.

Direct object references occur when a web application uses a user-supplied identifier to fetch a resource without properly enforcing authorization. In this case, the URL parameter provides an ID that points to a sensitive resource, and the app returns that resource just based on the ID. If there isn’t a strong access-control check in place, a user can alter the ID to access other users’ resources or sensitive data. The weakness is that the object reference itself is trusted to control access, rather than verifying that the requester is authorized to view the specific object.

This isn’t an XML External Entity Attack, which relies on exploiting XML parsers and external entities; nor is it CRLF Injection, which targets HTTP headers through newline characters; nor is it Timeout Exploitation, which centers on performance or DoS aspects rather than direct unauthorized access to objects. The correct vulnerability category is insecure direct object references, rooted in inadequate access controls around object identifiers. To fix it, enforce authorization checks on every object retrieval, or use indirect references (opaque tokens) that map to objects only after proper authorization.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy