During a penetration test, a tester is able to change values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a web application. Which of the following vulnerabilities has the penetration tester exploited?
During a penetration test, a tester is able to change values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a web application. Which of the following vulnerabilities has the penetration tester exploited?
The vulnerability exploited in this scenario is a direct object reference. This occurs when an application exposes objects, such as files or database records, directly in the user interface, allowing attackers to manipulate parameters in the URL to access unauthorized data or functionality. In this example, the tester was able to change the 'id' parameter from 5 to 10 in the URL to gain access, indicating a lack of proper access controls.
Answer is C. Right out of the book.
C. Direct object reference During a penetration test, a tester is able to change values in the URL from example.com/login.php?id=5 to example.com/login.php?id=10 and gain access to a web application. This is an example of a direct object reference vulnerability. A direct object reference vulnerability occurs when an application exposes an object's direct reference, such as a file or database record, in the application's user interface. This allows an attacker to access or manipulate objects directly by manipulating the URL or other parameters, bypassing any intended access controls. In this case, the tester was able to gain access to a web application by manipulating the value of the "id" parameter in the URL. It is important to note that options A, B, and D are also potential vulnerabilities that can be identified during a penetration test, but they are not as likely to be identified based on the given scenario as a direct object reference vulnerability. Command injection, Broken authentication, and Cross-site scripting are also common vulnerabilities that can be identified during a penetration test, but they are not related to the scenario where the tester is able to change values in the URL and gain access to a web application.
Insecure direct object reference (IDOR) is a vulnerability where the developer of the application does not implement authorization features to verify that someone accessing data on the site is allowed to access that data.
Agree answer is C.
When the application allows for a user to retrieve another users data it's because of an IDOR vulnerability so the right answer is clearly C.
Answer is C
C. Direct object reference Explanation: • Direct object reference: This vulnerability occurs when an application provides direct access to objects based on user-supplied input. In this case, by changing the id value in the URL from 5 to 10, the tester was able to access data or functionality that should not have been accessible, indicating that the application is not properly validating or restricting user input.
The scenario described where the tester changes values in the URL to gain access to a web application is indicative of exploiting a vulnerability known as: C. Direct object reference This vulnerability, also known as Insecure Direct Object References (IDOR), occurs when an application provides direct access to objects based on user-supplied input. In this case, by simply changing the value of the "id" parameter in the URL, the tester was able to access different objects (e.g., user accounts or data records). This kind of vulnerability reveals that there is inadequate access control, and users are able to access objects directly that they shouldn't have access to.
Definitely C
C. Direct object reference. The tester was able to change the value in the URL to access a resource that was not intended to be accessible, indicating a direct object reference vulnerability