Broken Access Control Explained (OWASP A01)

What is Access Control?

Access control ensures that users can only access resources they are authorized to use. Applications typically define roles such as admin, user, and guest.

What is Broken Access Control?

Broken Access Control happens when these restrictions are not properly enforced, allowing attackers to access unauthorized data or perform restricted actions.

Types of Access Control Issues

• IDOR (Insecure Direct Object Reference)
• Privilege Escalation
• Forced Browsing
• Missing Authorization Checks

Real World Example (IDOR)

A website allows users to view their profile using:

If the system does not verify ownership, changing the ID:

This allows attackers to access another user's data.

Privilege Escalation

Attackers may gain higher privileges by manipulating requests or bypassing checks.

Why It is Dangerous

• Unauthorized data access
• Account takeover
• Full system compromise

How to Prevent Broken Access Control

• Implement server-side validation
• Use role-based access control (RBAC)
• Avoid exposing sensitive IDs
• Perform access checks on every request

Conclusion

Broken Access Control is one of the most critical vulnerabilities because it directly exposes sensitive data and system functionality. Proper authorization checks must be implemented across all application layers.