Back
Cookies Notice
This site uses cookies to deliver services and to analyze traffic.
Broken Access Control
← Back to
glossary
← Back
to
glossary
What Is Broken Access Control?
Broken access control is a security vulnerability that occurs when an application fails to properly enforce restrictions on what authenticated users can do. It allows attackers to access unauthorized resources, modify data, or perform actions beyond their intended permissions.
Access control determines who can view, create, update, or delete resources within an application. When these controls break down, users can bypass authorization checks to access other accounts, escalate privileges, or manipulate sensitive data. The consequences range from data theft to complete system compromise.
OWASP broken access control has ranked as the number one web application security risk since 2021. Its prevalence reflects how difficult access control is to implement correctly across complex, distributed applications. Every endpoint, function, and data object requires consistent enforcement.
Why Broken Access Control Is a Critical Web Application Risk
Broken access control vulnerabilities expose applications to direct, high-impact attacks. Unlike vulnerabilities that require chaining multiple exploits, access control failures often provide immediate access to sensitive resources with minimal effort.
The business impact can be severe. Attackers who bypass authorization may access customer data, financial records, intellectual property, or administrative functions. A single broken access control vulnerability in a healthcare application could expose thousands of patient records. In a financial system, it could enable unauthorized transactions.
Compliance frameworks treat access control as foundational. PCI DSS, HIPAA, GDPR, and SOC 2 all require organizations to enforce least-privilege access and demonstrate control over who can access sensitive data. Access control issues that lead to breaches trigger regulatory penalties and mandatory disclosure.
Why broken access control is a dangerous vulnerability
- High exploitability: Many access control flaws require only a browser and basic manipulation of requests.
- Direct path to data: Attackers skip intermediate steps and reach sensitive resources immediately.
- Difficult to detect: Automated scanners struggle to identify authorization logic flaws without business context.
- Wide blast radius: A single flaw may expose data across all users or grant administrative access.
- Persistent risk: New features and endpoints introduce fresh opportunities for access control mistakes.
Applications grow more complex over time. Microservices, APIs, and third-party integrations multiply the surfaces where access control must be enforced. Without systematic design and testing, gaps emerge.
Common Broken Access Control Vulnerability Examples
Access control failures take many forms. Some stem from missing checks entirely. Others result from flawed logic that attackers can circumvent with simple request modifications.
Insecure direct object references (IDOR) occur when applications expose internal identifiers in URLs or parameters without verifying authorization. An attacker changes a user ID in a request and accesses another user’s data. This pattern appears frequently in APIs that fetch records by ID.
Privilege escalation happens when users gain access to functions reserved for higher-privileged roles. A regular user modifies a request to reach an admin endpoint, or a hidden parameter enables features that should be restricted.
| Vulnerability type | Description | Example |
| Insecure direct object reference | Accessing resources by manipulating identifiers | Changing /api/orders/123 to /api/orders/456 |
| Vertical privilege escalation | Gaining higher-privileged role access | Regular user accessing /admin/users endpoint |
| Horizontal privilege escalation | Accessing peer users’ resources | Viewing another customer’s account details |
| Missing function-level access control | Sensitive functions lack authorization checks | API endpoint performs action without verifying role |
| Metadata manipulation | Tampering with tokens or hidden fields | Modifying JWT claims to change user role |
| CORS misconfiguration | Overly permissive cross-origin policies | Allowing any origin to make authenticated requests |
Teams that detect and prevent application security vulnerabilities early in development catch these patterns before they reach production. Code review, threat modeling, and security testing each play a role.
How Attackers Exploit Broken Access Control in Real Environments
Attackers probe for access control weaknesses systematically. They map application functionality, identify authorization boundaries, and test whether those boundaries hold under manipulation.
Parameter tampering is the simplest technique. Attackers modify IDs, usernames, or role indicators in requests to see if the server validates them. Many applications trust client-supplied data without server-side verification.
Forced browsing targets URLs and endpoints that lack proper protection. Attackers guess or enumerate paths to administrative panels, debug interfaces, or internal APIs. Applications that rely on obscurity rather than enforcement fall quickly.
API exploitation has grown as applications shift toward API-first architectures. Attackers analyze API responses for clues about data structure, then craft requests to access resources they should not reach. Inconsistent authorization across endpoints creates exploitable gaps.
Session and token attacks target the mechanisms that carry identity. Attackers steal, forge, or replay tokens to impersonate other users. Weak session management amplifies broken access control by making it easier to hijack authenticated contexts.
Automated tools accelerate these attacks. Scanners iterate through parameter values, endpoints, and role combinations to find authorization failures at scale. What once required manual testing now runs in minutes.
FAQs
What are the early warning signs that an application might have access control issues?
Inconsistent authorization logic across endpoints, reliance on client-side checks, missing server-side validation of user permissions, and ad-hoc role management indicate potential access control issues requiring review.
How should development teams prioritize fixing broken access control compared to other vulnerabilities?
Broken access control should rank high due to direct data exposure risk and ease of exploitation. Prioritize based on asset sensitivity, exploitability, and whether the flaw affects production systems.
Which security testing techniques are most effective for uncovering broken access control vulnerabilities?
Manual penetration testing and authorization-focused code review catch logic flaws that automated tools miss. Combine these with dynamic testing that compares responses across different user roles.
How can organizations continuously monitor and enforce access control policies as applications evolve?
Implement centralized authorization frameworks, conduct regular access reviews, integrate security testing into CI/CD pipelines, and monitor runtime logs for anomalous access patterns.
See Apiiro in action
Meet with our team of application security experts and learn how Apiiro is transforming the way modern applications and software supply chains are secured. Supporting the world’s brightest application security and development teams: