During a penetration test, a tester is able to change values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a web application. Which of the following vulnerabilities has the penetration tester exploited?
C. Direct object reference
During a penetration test, a tester is able to change values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a web application. This is an example of a direct object reference vulnerability. A direct object reference vulnerability occurs when an application exposes an object's direct reference, such as a file or database record, in the application's user interface. This allows an attacker to access or manipulate objects directly by manipulating the URL or other parameters, bypassing any intended access controls. In this case, the tester was able to gain access to a web application by manipulating the value of the "id" parameter in the URL.
It is important to note that options A, B, and D are also potential vulnerabilities that can be identified during a penetration test, but they are not as likely to be identified based on the given scenario as a direct object reference vulnerability.
Command injection, Broken authentication, and Cross-site scripting are also common vulnerabilities that can be identified during a penetration test, but they are not related to the scenario where the tester is able to change values in the URL and gain access to a web application.
C. Direct object reference
Explanation:
• Direct object reference: This vulnerability occurs when an application provides direct access to objects based on user-supplied input. In this case, by changing the id value in the URL from 5 to 10, the tester was able to access data or functionality that should not have been accessible, indicating that the application is not properly validating or restricting user input.
The scenario described where the tester changes values in the URL to gain access to a web application is indicative of exploiting a vulnerability known as:
C. Direct object reference
This vulnerability, also known as Insecure Direct Object References (IDOR), occurs when an application provides direct access to objects based on user-supplied input. In this case, by simply changing the value of the "id" parameter in the URL, the tester was able to access different objects (e.g., user accounts or data records). This kind of vulnerability reveals that there is inadequate access control, and users are able to access objects directly that they shouldn't have access to.
C. Direct object reference. The tester was able to change the value in the URL to access a resource that was not intended to be accessible, indicating a direct object reference vulnerability
Insecure direct object reference (IDOR) is a vulnerability where the developer of
the application does not implement authorization features to verify that someone
accessing data on the site is allowed to access that data.
This section is not available anymore. Please use the main Exam Page.PT0-002 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
RightAsTain
Highly Voted 2 years, 8 months agoRRabbit_111
Highly Voted 2 years, 4 months agoEtc_Shadow28000
Most Recent 10 months, 3 weeks agosolutionz
1 year, 9 months agociguy935yaknow
2 years, 1 month agoxviruz2kx
2 years, 1 month agoKeToopStudy
2 years, 3 months agoaliaka
2 years, 5 months agopetercorn
2 years, 7 months agoLee_Lah
2 years, 7 months ago