OWASP Top 10 – A01: Broken Access Control

What Is Broken Access Control?

Broken Access Control occurs when an application fails to enforce proper restrictions on what authenticated users are allowed to do. In other words, users can perform actions or access data that should be outside their permission level.

This vulnerability ranks #1 in the OWASP Top 10 (2021) due to its frequency and potential impact.

Why Is It Dangerous?

Users can access or manipulate data that doesn’t belong to them.
Attackers may escalate privileges and act as administrators.
Leads to data leaks, account takeovers, or full system compromise.

Simple Analogy:

Imagine a hotel where every guest has a room key. But in this hotel, all doors are left open and anyone can enter any room — that’s broken access control in action.

Real-World Examples

1. Insecure Direct Object Reference (IDOR)

A user manipulates an ID in the URL to view another user’s data:

GET /user/profile/123  → their own profile  
GET /user/profile/124  → someone else's profile

If the system doesn’t verify ownership of the resource, it’s a broken access control issue.

2. Role Bypass

A regular user accesses an admin-only page:

GET /admin/dashboard

If there is no role check on the backend, access control is broken.

3. Hidden UI Elements Without Backend Validation

A “Delete User” button is hidden in the frontend, but still functional:

htmlKopierenBearbeiten<button style="display: none;">Delete User</button>

Attackers can unhide and trigger this button via browser dev tools — if the backend doesn’t validate roles, it’s a critical flaw.

4. HTTP Method Tampering

A user sends unauthorized POST or DELETE requests to endpoints that were supposed to be GET-only and unauthenticated.

Categories of Access Control Issues

Vertical Privilege Escalation: Gaining higher privileges (e.g., from user to admin).
Horizontal Privilege Escalation: Accessing data of other users at the same privilege level.
Forced Browsing: Manually navigating to sensitive endpoints not linked in the UI.
Missing Function-Level Access Control: Backend fails to check user roles for specific functions.

How to Prevent Broken Access Control

1. Enforce Access Controls Server-Side

Never rely on frontend code for authorization. All decisions must be validated on the server.

2. Role Validation for Every Sensitive Request

if user.role != "admin":
    return 403

3. Use Unpredictable Resource Identifiers

Avoid numeric IDs like /user/123. Use UUIDs instead:

/user/a93f8f2e-cd11-49a8-9944-9f8b6c57a6f2

4. Apply the Principle of Least Privilege

Only give users the minimal set of permissions they need to function.

5. Automate Authorization Testing

Build test cases that simulate unauthorized requests:

Send requests with invalid roles.
Try accessing others’ data.
Attempt to elevate privileges via the API.

6. Enable Logging and Alerting

Log all access control violations. Trigger alerts if multiple suspicious attempts are detected.

Useful Tools for Testing

Burp Suite: Modify requests to simulate privilege escalation.
OWASP ZAP: Automated scan for insecure access points.
Postman: Manual API testing for role manipulation.
JWT.io: Modify and re-sign tokens to simulate forged roles.

Final Thoughts

Broken Access Control is one of the most dangerous and most common web security flaws. It is often simple to exploit and can lead to devastating consequences.

To stay secure:

Always enforce server-side authorization.
Verify every action and resource request against the user’s permissions.
Regularly test your application using both automated tools and manual inspection.