Certified Cloud Security Professional – CCSP – Question221

Which of the following threat types involves an application that does not validate authorization for portions of itself beyond when the user first enters it?

A.
Cross-site request forgery
B. Missing function-level access control
C. Injection
D. Cross-site scripting

Correct Answer: B

Explanation:

Explanation: It is imperative that applications do checks when each function or portion of the application is accessed to ensure that the user is properly authorized. Without continual checks each time a function is accessed, an attacker could forge requests to access portions of the application where authorization has not been granted. An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. Cross-site scripting occurs when an attacker is able to send untrusted data to a user’s browser without going through validation processes. Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials.