GWEB Free Sample Questions

During a security assessment of a web application, you discover an API endpoint `GET /api/v1/users/{userId}/documents` that returns a list of documents for a given user. You observe that you can substitute your `userId` with that of another user and successfully retrieve their document list. The application correctly validates your authentication token for every request. What is the specific vulnerability category that best describes this issue? ```mermaid sequenceDiagram participant Attacker participant API_Gateway as API Gateway participant App_Server as Application Server participant DB as Database Attacker->>API_Gateway: GET /api/v1/users/VICTIM_ID/documents (with Attacker's valid token) API_Gateway->>App_Server: Forward Request (Auth check passes) App_Server->>DB: SELECT * FROM documents WHERE user_id = 'VICTIM_ID' Note right of App_Server: Fails to check if logged-in user matches VICTIM_ID DB-->>App_Server: Returns Victim's documents App_Server-->>API_Gateway: 200 OK with Victim's data API_Gateway-->>Attacker: Response with Victim's data ```