Broken Access Control
detect, understand, remediate
Broken access control, the #1 OWASP Top 10 category, allows users to act outside their intended permissions, accessing other users' data or performing unauthorised administrative actions.
No credit card required. Free plan available forever.
What is broken access control?
Broken access control is the number one vulnerability in the OWASP Top 10. It occurs when an application fails to properly enforce restrictions on what authenticated users are allowed to do. Users can act outside their intended permissions, accessing other users' data, modifying records they shouldn't, or performing administrative functions without proper authorisation.
Access control enforces policy such that users cannot act outside of their intended permissions. When these controls fail, attackers can view other users' accounts, access sensitive files, modify data, change access rights, and perform any action that should be restricted to specific roles or users.
This vulnerability is widespread because implementing robust access control requires consistent server-side enforcement across every endpoint, resource, and action in the application. A single oversight, such as one API endpoint missing an authorisation check, can expose the entire system to unauthorised access.
How it works
Identify access control gap
The attacker discovers an endpoint, resource, or action that lacks proper server-side authorisation checks or relies solely on client-side restrictions.
Manipulate request
The attacker modifies URLs, API parameters, object IDs, or HTTP methods to access resources or functions outside their assigned permissions.
Bypass authorisation
The server processes the request without verifying that the user has permission, granting access to restricted data or functionality.
Privilege escalation
The attacker accesses other users' data, performs administrative actions, or escalates their role to gain full control of the application.
Common causes
Missing server-side checks
Authorisation is not enforced on every API endpoint and server action, allowing direct requests to bypass intended restrictions.
Relying on client-side restrictions
Hiding UI elements or disabling buttons without server-side enforcement means attackers can simply call the API directly.
Metadata manipulation
Tampering with JWT tokens, cookies, hidden fields, or API parameters to elevate privileges or impersonate other users.
CORS misconfiguration and force browsing
Overly permissive CORS policies allow cross-origin access, and predictable URLs enable direct navigation to restricted pages.
How to detect it
Automated detection
- SecPortal's authenticated scanner tests IDOR patterns by modifying resource IDs and checking for unauthorised access across user contexts
- Code scanning identifies API routes missing authorisation middleware, permission checks, or role-based access control enforcement
- CORS configuration analysis flags overly permissive origins and credential sharing policies
Manual testing
- Access API endpoints as a low-privilege user and attempt to perform administrative actions or access other users' resources
- Modify resource IDs in URLs and API requests to test for horizontal privilege escalation between accounts
- Test all HTTP methods (GET, POST, PUT, DELETE) on restricted endpoints to verify consistent authorisation enforcement
How to fix it
Deny by default
Implement a default-deny access control model where all requests are rejected unless explicitly authorised by a matching policy.
Implement role-based access control (RBAC)
Define clear roles and permissions. Map every action and resource to required permissions and enforce them consistently server-side.
Enforce server-side authorisation on every request
Check permissions on every API endpoint, page load, and action. Never rely on client-side UI restrictions as a security control.
Disable directory listing
Prevent web servers from exposing directory contents and ensure that file metadata is not accessible through direct URL access.
Log and alert on access control failures
Monitor for repeated authorisation failures as they may indicate an attacker probing for access control gaps. Alert on anomalous patterns.
Compliance impact
Test access controls automatically
SecPortal's authenticated scanner tests for horizontal and vertical privilege escalation and authorisation bypasses. Start free.
No credit card required. Free plan available forever.