After purchasing an item on an e-commerce website, a user can view their order details...

The vulnerability described is anInsecure Direct Object Reference (IDOR), where manipulating the order_id (e.g., 53870) allows unauthorized access to other users’ orders. The fixes proposed by Bob and John aim to obscure the numeric value of order_id to prevent easy guessing or manipulation:

Bob’s Fix (SHA1 Hash): Replaces order_id=53870 with order_id=1ff0fe6f1599536d1326418124a261bc98b8ea1 (SHA1 hash of 53870). While this obscures the original value, an attacker can still attempt to hash potential order IDs (e.g., 53871, 53872) and test them in the URL. If the application directly uses the hash to look up the order without validating the user’s authorization, the vulnerability persists. SHA1 is aone-way hash, but it does not inherently enforce access control.

John’s Fix (Base64 Encoding): Replaces order_id=53870 with order_id=NTM4NzA= (Base64 encoding of 53870). Base64 is a reversible encoding, and an attacker can easily decode NTM4NzA= back to 53870 using standard tools. If the application decodes it and uses the original value to fetch orders without authorization checks, the IDOR vulnerability remains.

Evaluation: Both fixes address the symptom (disclosing the numeric value) but fail to address the root cause: lack of authorization validation. The application must ensure that only the authenticated user can access their own orders, regardless of the order_id format (numeric, hashed, or encoded). Neither fix includes such a check, so the vulnerability persists.

Option A ("Both solutions are adequate to fix the problem"): Incorrect, as neither solution enforces authorization.

Option B ("Both solutions are inadequate and the vulnerability is still not fixed"): Correct, as both SHA1 hashing and Base64 encoding are superficial changes that do not prevent unauthorized access.

Option C ("Only John’s solution fixes the problem"): Incorrect, as John’s Base64 encoding is reversible and does not fix the IDOR issue.

Option D ("Only Bob’s solution fixes the problem"): Incorrect, as Bob’s SHA1 hashing also does not address the authorization flaw.

The correct answer is B, aligning with the CAP syllabus under "Insecure Direct Object References (IDOR)" and "Access Control Best Practices."References: SecOps Group CAP Documents - "IDOR Mitigation," "Cryptographic Hashing," and "OWASP Access Control Testing Guide" sections.