What is Broken Access Control?

Broken access control is the top OWASP web application risk where applications fail to properly enforce user permissions, allowing unauthorized access to data, functions, or resources.

What is broken access control?

Broken access control occurs when applications fail to properly enforce what authenticated users are allowed to do. It enables users to act outside their intended permissions, accessing other users' data, modifying unauthorized records, elevating privileges, or accessing administrative functions. It ranked as the number one risk in the OWASP Top 10 2021.

What are common broken access control vulnerabilities?

Common vulnerabilities include IDOR (manipulating resource IDs to access others' data), privilege escalation (accessing admin functions as regular users), forced browsing to unprotected pages, CORS misconfiguration enabling cross-origin access, missing function-level access controls, JWT manipulation, and metadata manipulation to bypass authorization checks.

Why is broken access control the top OWASP risk?

Broken access control moved to the number one position because it is the most commonly found vulnerability category in real applications, has high exploitability, and causes severe impact. Authorization logic is inherently complex, often implemented inconsistently across endpoints, and difficult to test comprehensively with automated tools alone.

How do you prevent broken access control?

Prevention requires implementing server-side authorization checks on every request, denying access by default, centralizing access control logic, using role-based or attribute-based access control frameworks, validating resource ownership on every data access, implementing proper CORS configuration, and regularly testing authorization logic across all endpoints.

How do you test for broken access control?

Testing involves attempting horizontal privilege escalation (accessing other users' data at the same role level), vertical privilege escalation (accessing higher-privilege functions), forced browsing to admin panels, IDOR testing by manipulating resource identifiers, and automated crawling with different role credentials to compare accessible resources.

What is the principle of least privilege in access control?

Least privilege means granting users only the minimum permissions necessary to perform their specific job functions. Applied to access control, it means defaulting to deny access and explicitly granting only required permissions, rather than granting broad access and attempting to restrict specific resources.

How does role-based access control (RBAC) work?

RBAC assigns permissions to roles rather than individual users. Users are assigned roles that define what resources and operations they can access. This simplifies permission management at scale, ensures consistent enforcement, and makes access auditing straightforward. Complex environments may combine RBAC with attribute-based access control (ABAC).

What access control failures do penetration testers commonly find?

Testers commonly find missing authorization checks on API endpoints, client-side-only access controls easily bypassed, inconsistent enforcement between web and API interfaces, IDOR vulnerabilities in REST APIs, missing function-level checks allowing admin access, and stale permissions from users who changed roles but retained previous access levels.