Home.
Web ApplicationCritical

Broken Access Control

Broken access control is consistently a top application risk. Authorization must be enforced server-side for every object and action, regardless of UI restrictions.

Back to TechniquesTest Your Skills

How Attackers Use It

Attack Summary

Application fails to enforce permissions on actions or resources. IDOR (insecure direct object reference) allows accessing other users' data by manipulating an ID in the URL or request body.

  • Attacker enumerates object IDs through predictable URL patterns.
  • Missing ownership checks expose records across user boundaries.
  • Privilege checks are bypassed by hidden endpoint discovery.
  • Sensitive actions execute under insufficient authorization.

Defensive Strategy

Defense Summary

Server-side authorisation checks on every request. Indirect references (UUIDs or opaque tokens) instead of sequential IDs. Regular access control audits.

  • Authorize every action and object on the server.
  • Adopt deny-by-default policy in API gateways and services.
  • Use non-enumerable identifiers and tenancy-aware queries.
  • Add automated authorization tests to CI pipelines.

Detection Signals

  • Cross-tenant data access from low-privilege accounts.
  • Audit logs showing successful requests to unauthorized object IDs.
  • Large bursts of sequential identifier requests.

Keywords

Broken Access ControlBroken Access Control DetectionBroken Access Control PreventionCritical SeverityWeb Application SecurityAttack and DefenseThreat DetectionSecurity Hardening

External References

Authoritative references for deeper learning and validation.

Related Techniques

Explore additional techniques with similar risk level.

SQL InjectionServer-Side Request Forgery (SSRF)Buffer Overflow