KT-APP Vulnerable applications

Bug bounty reports IDOR on an API returning other users' orders by changing ?userId=. Fix?

Multiple choice — select one answer

Answer choices

  1. a. Hide the parameter in client-side JavaScript so users cannot easily edit it
  2. b. Close the report because the app uses HTTPS which encrypts parameter tampering
  3. c. Enforce server-side authorization checks on every object reference, then regression test
  4. d. Rate-limit the API to one request per day without fixing authorization logic

Architectural breakdown & explanation

IDOR is an authorization flaw; TLS does not substitute for access control.

Correct answer(s): c. Enforce server-side authorization checks on every object reference, then regression test

Exam domain: Vulnerable applications (25% weight on the official guide).

Official documentation & study links

Practice this certification

This page is one question from the KeyTrain's Key Training — Application Security bank. Run a full timed practice exam with domain-weighted random questions in your browser.