The scenario describes an API vulnerability where unauthorized users are able to view, modify, or delete sensitive data by interacting with API objects. This indicates a failure in access control—specifically, a lack of Attribute-Based Access Control (ABAC) validation.
Attribute-Based Access Control (ABAC):
ABAC is an advanced access control model that evaluates access permissions based on attributes of the user, the resource, and the environment (e.g., user role, data sensitivity, location, etc.).
When ABAC is not properly implemented ("No ABAC validation"), APIs may allow users to access or manipulate objects they shouldn't have access to.
In APIs, this typically results in vulnerabilities like Insecure Direct Object Reference (IDOR), where users can tamper with object identifiers (IDs) to access or alter data that doesn’t belong to them.
This is one of the top risks highlighted by the OWASP API Security Top 10 (e.g., Broken Object Level Authorization).
Incorrect Options:
A. Code injection refers to injecting malicious code (e.g., SQLi, XSS), not improper access control.
B. Improper use of CORS (Cross-Origin Resource Sharing) may lead to unauthorized data exposure but doesn’t describe unauthorized object access in an API.
D. Business logic flaws relate to weaknesses in application workflows and rules, not direct access control failures.
Reference – CEH v13 Official Courseware:
Module 14: Hacking Web Applications
Section: "API Security Threats"
Subsection: "Access Control Failures in APIs (IDOR, BOLA, ABAC-related flaws)"
OWASP API Security Top 10: 2023 – A1: Broken Object Level Authorization
CEH iLabs and CEH Engage also demonstrate API-based attack vectors exploiting access control weaknesses.
