Broken Access Control

Broken Access Control is a critical security risk that occurs when applications fail to enforce proper authorization, allowing attackers to access, modify, or delete sensitive data and perform unauthorized actions. These vulnerabilities arise when restrictions on what authenticated users can do are not correctly implemented, leading to data breaches, privilege escalation, and system compromise. Attackers exploit these flaws by bypassing access controls through parameter manipulation, forced browsing, or privilege escalation techniques.

Common Vulnerabilities:

• Insecure Direct Object References (IDOR)
• Missing or Weak Authorization Checks
• Privilege Escalation (Horizontal & Vertical)
• Forced Browsing (Accessing Hidden Endpoints)
• Improper Session Handling
• Bypassing Access Controls via Parameter Manipulation

To mitigate these risks, applications should enforce role-based access control (RBAC), implement least privilege policies, validate permissions on every request, use secure indirect object references, and regularly test access controls to prevent unauthorized access.