🔥 3-day streak
CompTIA PenTest+ (PT0-003)48 / 175
Question 48 of 175
During a web application assessment, a penetration tester logged in as a low-privileged user and intercepted the following API request in Burp Suite: GET /api/v2/invoices/1042 HTTP/1.1 with a valid session token. The tester changed the value to /api/v2/invoices/1041 and received a 200 response containing another customer's billing details, including full name and payment card last-four digits. No error or additional authentication challenge occurred. Which vulnerability has the tester most likely confirmed?
Reviewed for accuracy · Report an issueNext question