Which of the following is an example of improper access control?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the PCI Approved Scanning Vendor (ASV) Test. Study with flashcards, multiple choice questions, hints, and explanations. Get exam ready!

Multiple Choice

Which of the following is an example of improper access control?

Explanation:
Improper access control happens when an application does not adequately verify that a user should be allowed to access a requested resource. A classic example is insecure direct object references, where the app uses a direct reference to an internal object (like an ID in the URL or a parameter) and only trusts the client to supply it without checking the caller’s permission. If an attacker changes the reference (for example, swapping an ID in the request), they can access another user’s data or a resource they shouldn’t see because the server didn’t enforce proper authorization for that object. Cross-site scripting isn’t about access to resources; it’s about injecting and executing malicious scripts in another user’s browser, which is an input/output security issue rather than an access-control enforcement problem. Directory traversal targets the file system by manipulating paths to reach restricted files, which is more about path handling and file access than about validating per-user permissions for resources. SQL injection is about manipulating database queries to alter or extract data, which is a code-injection vulnerability affecting data handling rather than whether a user is authorized to access a given object.

Improper access control happens when an application does not adequately verify that a user should be allowed to access a requested resource. A classic example is insecure direct object references, where the app uses a direct reference to an internal object (like an ID in the URL or a parameter) and only trusts the client to supply it without checking the caller’s permission. If an attacker changes the reference (for example, swapping an ID in the request), they can access another user’s data or a resource they shouldn’t see because the server didn’t enforce proper authorization for that object.

Cross-site scripting isn’t about access to resources; it’s about injecting and executing malicious scripts in another user’s browser, which is an input/output security issue rather than an access-control enforcement problem. Directory traversal targets the file system by manipulating paths to reach restricted files, which is more about path handling and file access than about validating per-user permissions for resources. SQL injection is about manipulating database queries to alter or extract data, which is a code-injection vulnerability affecting data handling rather than whether a user is authorized to access a given object.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy