Free Preparation Discussions
MENU
The SecOps Group Exam CAP Topic 10 Question 92 Discussion
Topic #: 10
After purchasing an item on an e-commerce website, a user can view their order details by visiting the URL:
https://example.com/?order_id=53870
A security researcher pointed out that by manipulating the order_id value in the URL, a user can view arbitrary orders and sensitive information associated with that order_id. There are two fixes:
(Bob's Fix): In order to fix this vulnerability, a developer called Bob devised a fix so that the URL does not disclose the numeric value of the order_id but uses a SHA1 hash of the order_id in the URL, such as:
https://example.com/?order_id=1ff0fe6f1599536d1326418124a261bc98b8ea1
Note: that the SHA1 value of 53870 is 1ff0fe6f1599536d1326418124a261bc98b8ea1
(John's Fix): Another developer called John devised a different fix so that the URL does not disclose the numeric value of the order_id and uses a Base64 encoded value of the order_id in the URL, such as:
https://example.com/?order_id=NTM4NzA=
Note: that the Base64 encoded value of 53870 is NTM4NzA=
Which of the following is correct?
The vulnerability described is an Insecure Direct Object Reference (IDOR), where manipulating the order_id (e.g., 53870) allows unauthorized access to other users' orders. The fixes proposed by Bob and John aim to obscure the numeric value of order_id to prevent easy guessing or manipulation:
Bob's Fix (SHA1 Hash): Replaces order_id=53870 with order_id=1ff0fe6f1599536d1326418124a261bc98b8ea1 (SHA1 hash of 53870). While this obscures the original value, an attacker can still attempt to hash potential order IDs (e.g., 53871, 53872) and test them in the URL. If the application directly uses the hash to look up the order without validating the user's authorization, the vulnerability persists. SHA1 is a one-way hash, but it does not inherently enforce access control.
John's Fix (Base64 Encoding): Replaces order_id=53870 with order_id=NTM4NzA= (Base64 encoding of 53870). Base64 is a reversible encoding, and an attacker can easily decode NTM4NzA= back to 53870 using standard tools. If the application decodes it and uses the original value to fetch orders without authorization checks, the IDOR vulnerability remains.
Evaluation: Both fixes address the symptom (disclosing the numeric value) but fail to address the root cause: lack of authorization validation. The application must ensure that only the authenticated user can access their own orders, regardless of the order_id format (numeric, hashed, or encoded). Neither fix includes such a check, so the vulnerability persists.
Option A ('Both solutions are adequate to fix the problem'): Incorrect, as neither solution enforces authorization.
Option B ('Both solutions are inadequate and the vulnerability is still not fixed'): Correct, as both SHA1 hashing and Base64 encoding are superficial changes that do not prevent unauthorized access.
Option C ('Only John's solution fixes the problem'): Incorrect, as John's Base64 encoding is reversible and does not fix the IDOR issue.
Option D ('Only Bob's solution fixes the problem'): Incorrect, as Bob's SHA1 hashing also does not address the authorization flaw.
The correct answer is B, aligning with the CAP syllabus under 'Insecure Direct Object Reference (IDOR)' and 'Access Control Best Practices.'
Ardella
43 minutes agoWillodean
2 hours agoGennie
4 days agoSue
4 days agoElvera
6 days agoDalene
8 days ago