Question

Yoyodyne Systems has recently bought out its competitor, Whamiedyne Systems, which went out of business due to a series of data breaches. As a cybersecurity analyst for Yoyodyne, you are assessing Whamiedyne's existing applications and infrastructure. During your analysis, you discover the following URL is used to access an application:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-ttps://www.whamiedyne.com/app/accountInfo?acct=12345
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-You change the URL to end with 12346 and notice that a different user's account information is now displayed. Which of the following type of vulnerabilities or threats have you discovered?
​
A. Insecure direct object reference​
B. XML injection​
C. Race condition​
D. SQL injection

Answer 1

The vulnerability discovered is an Insecure direct object reference, which allows unauthorized access to user information by manipulating the URL.

Therefore, the correct answer is: option A). Insecure direct object reference​

Step-by-step explanation:

An Insecure direct object reference occurs when a website or application does not properly validate or authenticate user input, allowing users to access unauthorized information or resources. In this case, by changing the URL to end with a different account number, you were able to view someone else's account information.

An example of how this vulnerability could be exploited is if a website's URL structure follows a predictable pattern, such as using incrementing numbers for user accounts. An attacker could manipulate the URL to access accounts that they should not have permissions to access.

To prevent this vulnerability, developers should implement proper authorization checks and input validation to ensure that users can only access the resources that they are authorized to.