While testing a SaaS project-management API, you successfully retrieve your own project at /api/v1/projects/357 using a valid session cookie. To confirm whether horizontal authorization controls are missing, which modification to the captured request should you perform next?
Replace the project ID 357 with another sequential value such as 358 to see if data from a different account is returned.
Change the HTTP method from GET to OPTIONS to check for supported verbs.
Remove the Session cookie header entirely and resend the request to observe the server's default response.
Add the header X-Forwarded-For: 127.0.0.1 hoping the server will treat the request as internal.
Changing the object identifier in the URI is the quickest way to test whether authorization is enforced for each resource. If the application returns data for /api/v1/projects/358 even though your user is not associated with that project, it demonstrates an insecure direct object reference (IDOR) and horizontal privilege escalation. Simply removing the session cookie should generate an unauthenticated error, not prove an authorization flaw. Switching to the OPTIONS verb only enumerates methods and does not challenge authorization logic, while spoofing X-Forwarded-For relies on a misconfigured IP trust list rather than object-level access control.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an insecure direct object reference (IDOR)?
Open an interactive chat with Bash
What is the difference between horizontal and vertical privilege escalation?
Open an interactive chat with Bash
How does spoofing X-Forwarded-For impact authorization logic?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Web Application Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .