ExamTopics Logo
Mail Us[email protected]
Menu
Eccouncil Discussions
exam questions

Exam 312-50v10 All Questions

View all questions & answers for the 312-50v10 exam
Go to Exam

Exam 312-50v10 topic 1 question 21 discussion

Actual exam question from ECCouncil's 312-50v10
Question #: 21
Topic #: 1
[All 312-50v10 Questions]

Insecure direct object reference is a type of vulnerability where the application does not verify if the user is authorized to access the internal object via its name or key.
Suppose a malicious user Rob tries to get access to the account of a benign user Ned.
Which of the following requests best illustrates an attempt to exploit an insecure direct object reference vulnerability?

  • A. "GET/restricted/goldtransfer?to=Rob&from=1 or 1=1' HTTP/1.1Host: westbank.com"
  • B. "GET/restricted/accounts/?name=Ned HTTP/1.1 Host: westbank.com"
  • C. "GET/restricted/bank.getaccount("˜Ned') HTTP/1.1 Host: westbank.com"
  • D. "GET/restricted/\r\n\%00account%00Ned%00access HTTP/1.1 Host: westbank.com"
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by BlackAdam at July 5, 2023, 2:12 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
BlackAdam
9 months, 4 weeks ago
Selected Answer: C
C. "GET /restricted/bank.getaccount("˜Ned') HTTP/1.1 Host: westbank.com" Insecure direct object reference (IDOR) occurs when an application exposes internal object references (such as database keys, filenames, or URLs) without proper authorization or access control checks. Attackers can manipulate these references to access unauthorized resources or perform unauthorized actions. In option C, the request includes a specific method call, "bank.getaccount('Ned')", indicating an attempt to directly access the account information of user Ned. By specifying the name "Ned" directly in the request, the attacker, Rob, is trying to bypass any authorization or access control mechanisms and retrieve the account information for Ned.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago