🛡️ Free practice test question from: API vulnerability (Security+)

In this scenario, the vulnerability arises because the API does not properly enforce authorization checks at the object level. By manipulating the accountId parameter, an attacker can access other users' transaction data, which should be restricted. This is a classic example of Broken Object Level Authorization (BOLA), where specific objects (User object/entity) or resources are accessible without proper authorization.

A) XSS: This involves injecting malicious scripts into a website to steal user data or hijack sessions. It's not directly relevant to this scenario.

C) SQL Injection: This occurs when malicious SQL queries are injected into an application to manipulate or extract data from a database. It's not the primary issue here, as the vulnerability lies in the API endpoint's authorization mechanism.

D) BFLA: This refers to a broader failure to properly implement authorization controls, often affecting entire functionalities. While the API endpoint's authorization is broken, the specific issue is more narrowly focused on object-level access control.