An internal review of a web-based application system finds the ability to gain access to all
employees’ accounts by changing the employee’s ID on the URL used for accessing the account.
The vulnerability identified is:
A.
broken authentication.
B.
unvalidated input.
C.
cross-site scripting.
D.
structured query language (SQL) injection.
Explanation:
The authentication process is broken because, although the session is valid, the application
should reauthenticate when the input parameters are changed. The review provided valid
employee IDs, and valid input was processed. The problem here is the lack of reauthentication
when the input parameters are changed. Cross-site scripting is not the problem in this case since
the attack is not transferred to any other user’s browser to obtain the output. Structured query
language (SQL) injection is not a problem since input is provided as a valid employee ID and no
SQL queries are injected to provide the output.