Application Developer Leaving References

C.

An insecure direct object reference occurs when a developer has in their code a reference to something on the application side, such as a database key, the directory structure of the application, configuration information about the hosting system, or any other information that pertains to the workings of the application that should not be exposed to users or the network.

Unvalidated redirects and forwards occur when an application has functions to forward users to other sites, and these functions are not properly secured to validate the data and redirect requests, allowing spoofing for malware of phishing attacks.

Sensitive data exposure occurs when an application does not use sufficient encryption and other security controls to protect sensitive application data.

Security misconfigurations occur when applications and systems are not properly configured or maintained in a secure manner.

The correct answer is B. Security misconfiguration.

Security misconfiguration is a common vulnerability that occurs when a system or application is not configured correctly, leaving it open to potential attacks. This vulnerability can occur at any layer of the application stack, including the web server, application server, database, or even the operating system.

In this scenario, an application developer may inadvertently leave references to internal information and configurations in the code that is exposed to the client. This means that an attacker can potentially gain access to sensitive information by analyzing the code, or by exploiting the misconfigured system or application.

For example, a developer may leave default login credentials in the code, which can be easily discovered and exploited by an attacker. Alternatively, they may expose internal network addresses or API keys, which can be used to access other sensitive information or systems.

Sensitive data exposure (A) is a different type of threat that occurs when sensitive information is stored or transmitted in an insecure manner, making it vulnerable to unauthorized access. Insecure direct object references (C) occur when an application exposes a reference to an internal object, such as a file or database record, without properly checking if the user has permission to access it. Unvalidated redirect and forwards (D) occur when an application uses user input to construct a redirect or forward to another page, without properly validating the input. This can allow an attacker to redirect the user to a malicious website or page.