Insecure direct object reference is a type of vulnerability where the application does not verify if the user is authorized to access the internal object via its name or key.
Suppose a malicious user Rob tries to get access to the account of a benign user Ned.
Which of the following requests best illustrates an attempt to exploit an insecure direct object reference vulnerability?

A. "GET/restricted/goldtransfer?to=Rob&from=1 or 1=1' HTTP/1.1Host: westbank.com"

B. "GET/restricted/accounts/?name=Ned HTTP/1.1 Host: westbank.com"

C. "GET/restricted/bank.getaccount("˜Ned') HTTP/1.1 Host: westbank.com"

D. "GET/restricted/rn%00account%00Ned%00access HTTP/1.1 Host: westbank.com"








 

Suggested Answer: B

Community Answer: C



This question is in 312-50V10 EC-Council Certified Ethical Hacker v10 Exam
For getting EC-Council Certified Ethical Hacker (CEH) Certificate







Disclaimers:
The website is not related to, affiliated with, endorsed or authorized by EC-Council. 
Trademarks, certification & product names are used for reference only and belong to EC-Council.
The website does not contain actual questions and answers from EC-Council's Certification Exams.