After purchasing an item on an e-commerce website, a user can view his order details by visiting the URL:
https://example.com/order_id=53870
A security researcher pointed out that by manipulating the order_id value in the URL, a user can view arbitrary orders and sensitive information associated with that order_id.
Which of the following is correct?
Correct Answer: B
The scenario describes an e-commerce website where a user can view order details by manipulating the order_id parameter in the URL (e.g., https://example.com/order_id=53870). A security researcher found that changing the order_id allows access to arbitrary orders and sensitive data, indicating an authorization issue.
This is not a simple input validation problem (e.g., SQL injection or path traversal), as the input (order_id) is processed, but the system fails to enforce proper access controls. This is a classic case ofInsecure Direct Object References (IDOR), where an attacker can access resources by guessing or manipulating identifiers without proper authorization checks. The root cause is a weak authorization mechanism, likely tied to poor session management orprivilege validation, allowing unauthorized users to view others' data.
* Option A ("The root cause of the problem is a lack of input validation..."): Incorrect, as the issue is not about invalid input (e.g., malicious code) but about unauthorized access to valid data. Whitelisting might help sanitize input, but it doesn't address authorization.
* Option B ("The root cause of the problem is a weak authorization (Session Management)..."):
Correct, as the problem stems from inadequate authorization checks. Validating user privileges (e.g., ensuring the user can only access their own orders) or improving session management (e.g., tying orders to user sessions) can fix this IDOR vulnerability.
* Option C ("The problem can be solved by implementing a Web Application Firewall (WAF)"):
Incorrect as a standalone solution, as WAFs mitigate certain attacks (e.g., SQLi, XSS) but are not a substitute for fixing authorization logic. A WAF might detect patterns but won't enforce proper access control.
* Option D ("None of the above"): Incorrect, as Option B accurately identifies the root cause and solution.
The correct answer is B, aligning with the CAP syllabus under "Authorization and Access Control" and
"OWASP Top 10 (A04:2021 - Insecure Design)."References: SecOps Group CAP Documents - "Session Management," "Insecure Direct Object References (IDOR)," and "OWASP Top 10" sections.
