During a web application test you log in as a standard user and notice the profile page URL ends with id=1042. Manually changing the id parameter to 1041 returns another customer's profile without triggering any authorization error. Which access-control weakness is being exploited in this situation?
SQL injection caused by unsanitized numeric parameters
Session fixation through predictable session identifiers
Insecure Direct Object Reference that allows horizontal privilege escalation
Cross-Site Request Forgery that forces unauthorized requests
The scenario is a textbook example of an Insecure Direct Object Reference (IDOR). The application exposes a direct reference (the numeric user ID) and fails to verify that the requester is authorized to access the object identified by that reference. Because no server-side authorization check is performed after the parameter is modified, a user can perform horizontal privilege escalation and view other users' data. SQL injection, CSRF, and session fixation do not rely solely on changing an object identifier and therefore do not match the behavior observed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Insecure Direct Object Reference (IDOR)?
Open an interactive chat with Bash
What is horizontal privilege escalation?
Open an interactive chat with Bash
How can web applications prevent IDOR vulnerabilities?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Web Application Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .