A security consultant reviewing web server logs for an online banking portal notices a tester sending a series of GET requests such as /view.aspx?account=200, /view.aspx?account=201, and /view.aspx?account=202. Each response returns full JSON objects containing account balances, names, and mailing addresses that do not belong to the authenticated user whose session cookie appears in the request headers. No additional tokens or access-control checks are observed in the responses, and the tester is able to iterate through more than 1,000 consecutive IDs in a short period. Based on the activity, which type of vulnerability is being exercised to pull sensitive data from records the user does not own?
Shared default credentials have been left active for all user accounts
Public share enumeration has been enabled by default for the application
Numeric references are used with no proper verification, allowing access to other records
Sensitive content is transferred without encryption during transit
The application exposes database objects directly through the account parameter without enforcing ownership checks. Because the server trusts the client-supplied numeric identifier, an attacker can increment or otherwise manipulate the value to retrieve objects that reside outside the user's authorization boundary. This is the classic insecure direct object reference flaw, sometimes grouped under broken access control. The other options describe issues such as weak credentials, clear-text transport, or overly permissive file shares, none of which involve manipulating a record ID in a request.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is insecure direct object reference (IDOR)?
Open an interactive chat with Bash
How can insecure direct object reference flaws be prevented?
Open an interactive chat with Bash
What is broken access control in application security?