Exposing internal objects such as files or database records to users via direct references can lead to which vulnerability?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Certified Ethical Hacker Version 11 Exam. Study with comprehensive questions and explanations. Equip yourself with the skills needed for success!

Multiple Choice

Exposing internal objects such as files or database records to users via direct references can lead to which vulnerability?

Explanation:
When an application uses a direct reference to an internal object (like a file or database record) that a user supplies in a request, it can expose those objects to anyone who can change that reference. If the server simply takes the provided object ID and returns the corresponding item after basic authentication, an attacker can modify the reference to access other objects they shouldn’t be allowed to see. This is insecure direct object references—the system fails to enforce object-level access control for every request, letting authorized users access only their own objects but not others simply by changing the reference. Mitigation focuses on enforcing authorization for each object requested, and often using indirect references that map to objects on the server with proper access checks, so changing a reference doesn’t grant unauthorized access. This isn’t about stealing passwords or about missing broader access controls at the function level; it’s specifically about failing to protect individual objects when they’re directly exposed through user-supplied references.

When an application uses a direct reference to an internal object (like a file or database record) that a user supplies in a request, it can expose those objects to anyone who can change that reference. If the server simply takes the provided object ID and returns the corresponding item after basic authentication, an attacker can modify the reference to access other objects they shouldn’t be allowed to see. This is insecure direct object references—the system fails to enforce object-level access control for every request, letting authorized users access only their own objects but not others simply by changing the reference.

Mitigation focuses on enforcing authorization for each object requested, and often using indirect references that map to objects on the server with proper access checks, so changing a reference doesn’t grant unauthorized access. This isn’t about stealing passwords or about missing broader access controls at the function level; it’s specifically about failing to protect individual objects when they’re directly exposed through user-supplied references.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy