Broken access control tops OWASP's list. Learn how attackers exploit authorization gaps and how your team can prevent IDOR and privilege escalation with robust server-side checks and least privilege.
Broken Access Control - The #1 Web Application Vulnerability That's Breaking Businesses
Introduction
In the OWASP Top 10 for 2021, Broken Access Control claimed the number one position as the most critical web application security vulnerability. This rise from fifth place shows how authorization failures have become a primary attack vector used to compromise modern applications.
Studies show that 94% of tested applications contain some form of access control weakness, with an average incidence rate of 3.81%. The 34 CWEs mapped to this category occurred more than any other, making it essential for engineering and security teams to understand and mitigate this threat.
Access control enforces policy for what authenticated users can do. When these controls fail, attackers bypass authorization, reach sensitive functionality, and exfiltrate data.
Understanding Broken Access Control
Broken access control occurs when applications fail to properly enforce permissions on resources or actions. Unlike sophisticated exploits, these issues often enable direct access to sensitive objects via simple URL or parameter manipulation.
- Vertical privilege escalation: Regular users gaining administrative capabilities (e.g., changing
/user/profileto/admin/dashboard). - Horizontal privilege escalation: Accessing other users' data by modifying identifiers in requests.
- IDOR: Insecure Direct Object References exposing object IDs without server-side authorization checks.
Common Attack Scenarios
URL Parameter Manipulation
Attackers change identifiers like /user/123 to /user/456 to view or modify another user's data.
Missing Function-Level Access Control
UI checks exist but server-side routes/APIs remain callable. Admin functions are reachable via direct URL or API calls if authorization middleware is missing.
Metadata Manipulation
Attackers tamper with JWT claims, cookies, or hidden fields to escalate privileges. Client-side checks without server validation are easily bypassed.
Mass Assignment
Overly permissive binding allows untrusted input to set sensitive fields such as isAdmin.
Real-World Impact
- Snapchat (2014): API access control flaws exposed 4.6M usernames and phone numbers.
- Instagram (2019): IDOR allowed viewing private posts by manipulating user IDs.
- Optus (2023): IDOR enabled access to nearly 10M customer records.
Business consequences include unauthorized data disclosure, regulatory penalties (GDPR/HIPAA), brand damage, and significant incident response costs.
Prevention Strategies
- Least privilege: Grant only the minimum permissions needed.
- RBAC: Use role-based access control to align permissions with job functions.
- Server-side authorization: Validate every request on the server; never trust client-side checks.
- Secure API design: Enforce authorization on all CRUD endpoints.
- Input validation: Validate IDs and references; verify ownership on every object access.
Detection and Monitoring
- Audit logging: Capture authorization decisions and failed access attempts.
- Automated security testing: Regular scans for IDOR and permission bypass across roles.
- Behavioral analysis: Detect anomalies that indicate privilege escalation attempts.
- Regular security assessments: Perform targeted penetration testing of authorization paths across UI and API layers.
Strengthen your authorization model with expert testing. See our web application and API penetration testing services. U.S. organizations can also review our guide for U.S. businesses.
Frequently Asked Questions
How can I identify broken access control in my app?
Map roles, permissions, and sensitive objects. Create test accounts for each role and attempt both horizontal and vertical access. Fuzz object IDs and references in URLs and API requests. Ensure client checks are backed by server-side authorization.
Why is it more dangerous than other vulnerabilities?
These flaws often grant direct access to sensitive data without complex exploitation. Simple parameter changes can succeed silently and look like normal traffic, making detection harder. With prevalence near 94% of apps, the attack surface is enormous.
Conclusion
Broken access control is the most critical risk facing modern web apps. Organizations can dramatically reduce exposure by implementing least privilege and RBAC, enforcing strict server-side authorization, and running regular penetration tests focused on authorization flows.