Broken Access Control

Broken Access Control is the #1 risk in the OWASP Top 10. It occurs when an application fails to consistently enforce who is allowed to do what — for example, missing server-side checks, relying on hidden URLs (security by obscurity), trusting client-side role information, or using direct object references without ownership verification. Variants include IDOR, force-browsing to admin pages, bypass via parameter tampering, and JWT scope manipulation. Impact ranges from information disclosure to total account or data takeover. Defences include centralised authorization middleware, deny-by-default policies, server-side enforcement for every action, scoped queries, thorough integration tests, and continuous DAST.