🔥 3-day streak
ISC2 CCSP — Certified Cloud Security Professional1 / 124
Question 1 of 124
A development team exposes a REST API for a multi-tenant cloud SaaS. During a security review, a tester finds that by changing the numeric 'accountId' parameter in the URL (e.g., /api/v1/accounts/1042/invoices), they can retrieve invoices belonging to other tenants even though the JWT they present is valid for only their own account. The endpoint authenticates the token correctly but returns data without further checks. Which control best addresses this OWASP API Security Top 10 weakness?
Reviewed for accuracy · Report an issueNext question