A support agent notices that changing `invoiceId=8842` to `invoiceId=8843` in a portal URL returns another customer's invoice PDF without any additional login prompt. The user is already authenticated to the application. Which vulnerability is most likely present?

Cross-site scripting

Cross-site scripting injects script into a page or session, but it does not primarily explain unauthorized access to another user's object by changing an ID.

SQL injection

SQL injection manipulates backend queries through crafted input, but the described behavior is direct object access, not a database query error pattern.

Cross-site request forgery

CSRF tricks a victim's browser into sending unwanted actions, but here the user is directly modifying a URL and viewing another object's data.

What does this SY0-701 question test?

Authentication checks who the user is.

What is the correct answer to this question?

The correct answer is: Broken access control — Broken access control is the best answer because the application is not enforcing proper authorization checks for each invoice object. The user can change an identifier and retrieve another customer's document, which is a classic object-level access control failure. This is especially risky in portals and APIs where predictable IDs are exposed. Secure design should verify every request against the caller's permissions, not just the fact that the caller is logged in. Why others are wrong: Cross-site scripting would involve script execution in the browser, not unauthorized access to a different invoice by changing an ID. SQL injection targets the backend database query layer and would usually show different symptoms. CSRF forces a victim to perform an action through their browser, but the user here is manually altering the resource identifier, which points directly to access control failure.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.