Broken Access Control
What is Broken Access Control?
Broken Access ControlA class of vulnerabilities where authorization rules are missing or incorrectly enforced, letting users perform actions or reach data outside their privileges.
Broken Access Control is the #1 risk in the OWASP Top 10. It occurs when an application fails to consistently enforce who is allowed to do what — for example, missing server-side checks, relying on hidden URLs (security by obscurity), trusting client-side role information, or using direct object references without ownership verification. Variants include IDOR, force-browsing to admin pages, bypass via parameter tampering, and JWT scope manipulation. Impact ranges from information disclosure to total account or data takeover. Defences include centralised authorization middleware, deny-by-default policies, server-side enforcement for every action, scoped queries, thorough integration tests, and continuous DAST.
● Examples
- 01
A normal user calling /api/admin/users without role checks and receiving full lists.
- 02
Changing a document UUID in the URL and reading another customer's invoice.
● Frequently asked questions
What is Broken Access Control?
A class of vulnerabilities where authorization rules are missing or incorrectly enforced, letting users perform actions or reach data outside their privileges. It belongs to the Vulnerabilities category of cybersecurity.
What does Broken Access Control mean?
A class of vulnerabilities where authorization rules are missing or incorrectly enforced, letting users perform actions or reach data outside their privileges.
How do you defend against Broken Access Control?
Defences for Broken Access Control typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Broken Access Control?
Common alternative names include: BAC, Authorization bypass.