This question was on the exam fyi. I passed today with a 751 after failing the first time with a 722. These are a help resource

-B Based on the provided information, the most likely cause of the security control bypass is user-agent spoofing. User-agent spoofing is a technique used by attackers to impersonate a legitimate user agent or mobile application to bypass security controls. In this case, the back-end server was exposing an API that should have only been available from the company's mobile application. By spoofing the user agent, the attacker was able to trick the back-end server into believing that the API request was coming from the legitimate mobile application, and therefore, was able to bypass the security control that was supposed to restrict access to the API to only the mobile application.

I test on the 24th of May, I pray that I pass, or else I lose my job. I want to thank everyone on their contributions towards the discussions, they really help out. I will let you all know if I pass, and to help others, I'll add as many discussions as possible to confirm the right answer. I hate when people say the question was on the exam, but never say what they picked =(

If you look at the data, the requests made as postman were failing, but after the user agent change they started to be successful.

The following code listing displays the contents of a log file for an IIS web server. Notice that you can see the date and time that the request was made, the type of request (GET or POST), the file requested, and the client IP address that made the request. The last piece of information on the line is the user agent, which is the program used to make the request. Note that for brevity I have cut out any irrelevant information in the output. #Software: Microsoft Internet Information Services 6.0 #Version: 1.0 #Date: 2011-03-29 17:49:49 #Fields: date time cs-method cs-uri-stem s-port c-ip cs(User-Agent) 2011-03-29 17:49:49 GET /Default.htm 80 10.0.0.2 Mozilla... 2011-03-29 17:49:56 POST /process.asp 80 10.0.0.2 Mozilla... 2011-03-29 17:50:09 GET /deletecustomer.asp 80 10.0.0.2 Mozilla..." -Security+ Certification Study Guide Fourth Edition SY0-601 by Glen Clarke

User-agent spoofing is the practice of changing or falsifying the user-agent string sent by a web browser or other HTTP client to a web server. The user-agent string is a piece of information that is sent along with an HTTP request and identifies the type and version of the web browser or client being used. By spoofing the user-agent string, an attacker can trick a web server into thinking that a request is coming from a different browser or client than the one that is actually being used. User-agent spoofing can be used by attackers to evade detection and bypass security controls, such as web application firewalls (WAFs) or content filtering systems. For example, an attacker could send a request with a user-agent string that matches that of a known and trusted browser or client, in order to avoid being blocked or flagged as suspicious by a WAF or content filtering system. Alternatively, an attacker could send a request with a user-agent string that appears to come from a mobile device, in order to bypass security controls that are designed to block requests from desktop browsers.

The most likely cause of the security control bypass in this scenario is User-agent spoofing. User-agent spoofing is a technique where an attacker manipulates the user-agent string sent by their client to the server to impersonate a different client. In this case, the attacker may have spoofed the user-agent string to make it appear as if the requests were coming from the company’s mobile application, allowing them to bypass security controls and access the API.