When conducting a security assessment of a web application, you discover that the application fails to properly restrict URL access to a function that should only be accessible to users with administrative privileges. Through this functionality, non-admin users can perform sensitive operations which poses a significant security risk. Based on the OWASP Top 10 list, which vulnerability category does this scenario BEST align with?
The correct answer is 'Broken Access Control', which is a category in the OWASP Top 10 that includes failures in restrictions on what authenticated users are allowed to do. Attackers can exploit these flaws to access unauthorized functionality or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc. 'A04:2021-Insecure Direct Object References' refers to a subcategory that was a part of earlier editions of the OWASP Top 10, which has been merged under 'Broken Access Control' in recent versions. 'Sensitive Data Exposure' deals with the actual exposure of sensitive data due to inadequate protection, which does not directly relate to the described scenario. 'Insufficient Logging & Monitoring' is about the lack of sufficient tracking and auditing, which may allow breaches to go unnoticed, but is not directly relevant to the issue of failing to restrict URL access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are some common examples of Broken Access Control vulnerabilities?
Open an interactive chat with Bash
How can developers prevent Broken Access Control in their applications?
Open an interactive chat with Bash
What is the OWASP Top 10, and why is it important for web application security?