nerdexam
Isaca

CDPSE · Question #318

Which type of flaw in an application programming interface (API) allows an attacker to manipulate legitimate standard functionality?

The correct answer is A. Business logic misconfiguration. Business logic flaws occur when an attacker abuses the intended, legitimate workflow of an API in unintended ways-such as skipping payment steps, manipulating quantities to negative values for refunds, or reusing one-time tokens. The attacker is not breaking authentication or byp

Privacy Architecture

Question

Which type of flaw in an application programming interface (API) allows an attacker to manipulate legitimate standard functionality?

Options

  • ABusiness logic misconfiguration
  • BExcessive data exposure
  • CLack of resources and rate limiting
  • DBroken object level authorization

How the community answered

(20 responses)
  • A
    95% (19)
  • B
    5% (1)

Explanation

Business logic flaws occur when an attacker abuses the intended, legitimate workflow of an API in unintended ways-such as skipping payment steps, manipulating quantities to negative values for refunds, or reusing one-time tokens. The attacker is not breaking authentication or bypassing authorization; they are exploiting gaps in how the application enforces its own rules. This is distinct from technical vulnerabilities. Excessive data exposure (B) means the API returns more data than the caller needs. Lack of rate limiting (C) enables denial-of-service or brute-force attacks. Broken object level authorization (D) means a user can access another user's objects by changing an ID-an authorization control failure, not a logic manipulation.

Topics

#API security#Business logic flaws#Application security#Vulnerability management

Community Discussion

No community discussion yet for this question.

Full CDPSE Practice