Bug bounty reports IDOR on an API returning other users' orders by changing ?userId=. Fix?
Multiple choice — select one answer
Answer choices
Architectural breakdown & explanation
IDOR is an authorization flaw; TLS does not substitute for access control.
Correct answer(s): c. Enforce server-side authorization checks on every object reference, then regression test
Exam domain: Vulnerable applications (25% weight on the official guide).
Official documentation & study links
Practice this certification
This page is one question from the KeyTrain's Key Training — Application Security bank. Run a full timed practice exam with domain-weighted random questions in your browser.