CompTIA CASP+ (CAS-003) — Question 195

An internal staff member logs into an ERP platform and clicks on a record. The browser URL changes to:
URL: http://192.168.0.100/ERP/accountId=5&action=SELECT
Which of the following is the MOST likely vulnerability in this ERP platform?

Answer options

• A. Brute forcing of account credentials
• B. Plain-text credentials transmitted over the Internet
• C. Insecure direct object reference
• D. SQL injection of ERP back end

Correct answer: C

Explanation

The correct answer is C, as the URL directly exposes an account ID, suggesting that unauthorized users could manipulate the URL to access other records. Option A is incorrect because brute forcing is not indicated by the URL structure. Option B is also incorrect as there is no indication that credentials are transmitted in plain text. Option D does not apply since the URL does not suggest an SQL injection vulnerability.