While testing a company's internal ticketing site, you log in as user 102 and view your tickets at /tickets/102/. When you manually change the URL to /tickets/1/, the application shows the contents of ticket 1 instead of returning a 403 Forbidden response. Which access-control attack are you performing to confirm that authorization checks are missing?
Blind SQL injection to enumerate valid user IDs
Forced browsing through an insecure direct object reference (IDOR)
Stored cross-site scripting to steal higher-privilege cookies
Cross-site request forgery against an administrative session
The test relies on forced browsing, also called an insecure direct object reference (IDOR). By manipulating a numeric identifier in the URL, you directly request an object that should be protected by server-side authorization. If the server returns the object without verifying that the requester is entitled to it, the application suffers from broken access control. CSRF, XSS, and SQL injection can also compromise security, but they do not specifically test whether object-level authorization controls are enforced for each request.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is forced browsing or insecure direct object reference (IDOR)?
Open an interactive chat with Bash
What is the difference between IDOR and CSRF?
Open an interactive chat with Bash
How does broken access control affect security in web applications?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Web Application Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .