Overview
Broken Access Control is the #1 vulnerability category in the OWASP Top 10 (2021), appearing in 94% of applications tested. It encompasses any situation where a system fails to correctly enforce what actions a user is authorized to perform or what data they are authorized to access. Unlike authentication failures (which address who a user is), access control failures address what an authenticated — or even unauthenticated — user is allowed to do.
Access control vulnerabilities range from horizontal privilege escalation (accessing another user's data at the same privilege level) to vertical privilege escalation (accessing administrative or higher-privileged functionality), and include cases where unauthenticated users reach protected endpoints entirely.
How it works
Access control weaknesses arise when server-side authorization logic is absent, incomplete, or inconsistently applied. Common patterns include:
- Insecure Direct Object Reference (IDOR): An API endpoint such as
GET /api/invoices/4821returns data based solely on the user-supplied ID without verifying that the requesting user owns or has rights to that invoice. An attacker enumerates IDs to access other users' records. - Forced browsing: Sensitive pages (e.g.,
/admin/dashboard,/reports/export) are reachable via direct URL navigation because the server only hides links in the UI rather than enforcing authorization server-side. - Missing function-level access control: An ordinary user discovers an administrative API endpoint (e.g.,
DELETE /api/users/:id) that lacks role checks and can call it successfully. - Client-side access control: Authorization decisions rely on hidden form fields, JavaScript flags, or JWT claims that the client can modify (e.g., changing
"role":"user"to"role":"admin"in an unsigned or weakly signed token). - CORS misconfiguration: Overly permissive Cross-Origin Resource Sharing policies allow malicious third-party sites to make credentialed requests to authenticated endpoints.
- Path traversal enabling access control bypass: URL manipulation such as
/admin/../user/profilebypasses middleware that checks only the literal path prefix. - Metadata manipulation: Tampering with cookies, JWT tokens, or request parameters that control access level when the server trusts them without cryptographic verification.
Business impact
Successful exploitation of broken access control can have severe, multi-dimensional consequences:
- Data breach: Attackers can exfiltrate personally identifiable information (PII), financial records, health data, or intellectual property belonging to other users or the organisation itself.
- Data manipulation or deletion: Privilege escalation can allow modification or irreversible deletion of records, configurations, or user accounts.
- Account takeover: Administrative functions exposed without proper checks allow attackers to reset passwords, change email addresses, or disable multi-factor authentication for any account.
- Regulatory and legal liability: Exposure of user data violates GDPR, HIPAA, PCI-DSS, and similar frameworks, potentially resulting in significant financial penalties and mandatory breach notifications.
- Reputational damage: Public disclosure of a data breach caused by access control failures erodes customer trust and brand value, often with lasting commercial impact.
How to fix it
- Enforce authorization server-side on every request: Never rely solely on UI-level hiding of links or buttons. Every API endpoint and server-rendered page must independently verify the requesting user's identity and permissions before returning data or executing an action.
- Adopt a deny-by-default policy: Access should be denied unless explicitly granted. New endpoints and resources should require positive permission grants rather than inheriting open access.
- Use indirect object references or GUIDs: Replace sequential numeric IDs with unpredictable identifiers (e.g., UUIDs) and always validate ownership or permission on the server when resolving any reference.
- Implement role-based or attribute-based access control (RBAC/ABAC): Define permissions centrally in a dedicated authorization layer or library. Avoid scattering ad hoc role checks throughout the codebase.
- Validate JWT tokens rigorously: Use strong, server-managed signing keys; validate the
algheader; reject tokens with"alg":"none"; verify all claims including audience and expiry. - Log and alert on access control failures: Record authorization denials with user identity, timestamp, resource, and action. Set up alerting for unusual patterns (e.g., repeated 403 responses from a single user).
- Write automated tests for access control: Include integration and regression tests that verify users cannot access resources or functions belonging to other users or higher privilege levels. Incorporate these into CI/CD pipelines.
- Review CORS policies: Restrict
Access-Control-Allow-Originto explicitly required origins; never use*with credentialed requests. - Conduct regular access control reviews: Review permission matrices and access control logic during code reviews and periodically audit production configurations, especially after feature additions or refactoring.
Sensagraph automatically detects common broken access control indicators including exposed admin paths, IDOR-prone endpoint patterns, and overly permissive CORS configurations during continuous scanning.
References
- OWASP Top 10 A01:2021 – Broken Access Control
- OWASP WSTG – Authorization Testing
- MITRE CWE-284: Improper Access Control
- MITRE CWE-285: Improper Authorization
- MITRE CWE-639: Authorization Bypass Through User-Controlled Key (IDOR)
- OWASP Access Control Cheat Sheet
- OWASP IDOR Prevention Cheat Sheet
- PortSwigger Web Security Academy – Access Control