🔥 3-day streak
ISC2 CCSP — Certified Cloud Security Professional79 / 124
Question 79 of 124

A development team is deploying a cloud-native web application that exposes a REST API. Regular authenticated users interact only with the standard endpoints, but a penetration tester discovers that by directly invoking the URL '/api/v1/admin/deleteUser', a normal user without any administrative role is able to remove other accounts. The endpoint performs no server-side role verification and relies solely on the fact that the admin function link is hidden from the standard user interface. Which OWASP application security weakness does this MOST directly represent?

Reviewed for accuracy · Report an issueNext question