Which security vulnerability is demonstrated by a function that reveals data only if the caller's user ID equals the stored owner ID?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Get ready for your WGU ITEC2034 D385 Software Security and Testing Test. Study with multiple choice questions that include hints and explanations. Boost your confidence for your exam day!

Multiple Choice

Which security vulnerability is demonstrated by a function that reveals data only if the caller's user ID equals the stored owner ID?

Explanation:
The important concept here is object-level access control: deciding who can access which specific resource. In this scenario, access to the data is granted only when the caller’s user ID matches the owner ID stored with the data. That shows the application is making an authorization decision on a per-resource basis. If this check is not consistently applied across all resources or can be bypassed (for example, by requesting a different object or by manipulating IDs), an attacker could access data belonging to others. That is the hallmark of broken object-level authorization: the system relies on an ownership check to gate access, but the enforcement is flawed or incomplete, allowing unauthorized access to other objects. This is more specific than a broad access control misconfiguration, and it’s distinct from privilege escalation, which would involve gaining higher privileges than authorized. It’s also more about the per-object permissions than simply exposing a reference to an object without proper checks (which is the core idea behind insecure direct object reference).

The important concept here is object-level access control: deciding who can access which specific resource. In this scenario, access to the data is granted only when the caller’s user ID matches the owner ID stored with the data. That shows the application is making an authorization decision on a per-resource basis. If this check is not consistently applied across all resources or can be bypassed (for example, by requesting a different object or by manipulating IDs), an attacker could access data belonging to others. That is the hallmark of broken object-level authorization: the system relies on an ownership check to gate access, but the enforcement is flawed or incomplete, allowing unauthorized access to other objects. This is more specific than a broad access control misconfiguration, and it’s distinct from privilege escalation, which would involve gaining higher privileges than authorized. It’s also more about the per-object permissions than simply exposing a reference to an object without proper checks (which is the core idea behind insecure direct object reference).

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy