Broken Access Control is a broad category of vulnerabilities where restrictions on what authenticated users are allowed to do are not properly enforced. This is consistently ranked as a top security risk in the OWASP Top 10.
Common Manifestations
- Bypassing access control checks by modifying URLs or parameters
- Allowing users to act as other users or administrators
- Accessing APIs without proper authentication
- Privilege escalation (horizontal or vertical)
- Metadata manipulation (JWT, cookies, hidden fields)
- CORS misconfiguration allowing unauthorized access
Example Scenarios
// 1. URL parameter manipulation
GET /account?id=123 → GET /account?id=456
// 2. Forced browsing to admin pages
GET /admin/users (no role check)
// 3. API method bypass
// DELETE restricted, but:
POST /api/users/delete/123 works!
// 4. Insecure ID reference
GET /documents/secret-doc.pdf
Prevention
- Implement access control centrally and consistently
- Deny by default except for public resources
- Log access control failures and alert on repeated attempts
- Rate limit API access to minimize automated attacks
- Invalidate JWT tokens on logout (server-side)
- Minimize CORS usage and be restrictive
- Record ownership and enforce it in every query
Testing Approach
- Test every endpoint with different user roles
- Try accessing resources owned by other users
- Test for parameter manipulation
- Verify role checks are server-side, not client-only
See Also