Application security flaws classified as broken access control weaknesses are the most impactful risk category in the OWASP Top 10. This article shows how attackers can exploit access control gaps, lists high-profile data breaches caused by such attacks, and gives best practices for preventing and mitigating broken access control vulnerabilities.
Broken access control vulnerabilities are a vast family of web application security flaws that can expose sensitive data, compromise accounts, and grant unauthorized privileges. To prevent and mitigate these risks, organizations should:
Access control refers to the enforcement of restrictions that define who or what is permitted to interact with specific resources or perform particular actions. In web applications, access control relies on three fundamental mechanisms:
Access control issues remain a widespread class of severe security weaknesses. Implementing effective access control requires balancing business, organizational, and legal constraints with technical enforcement. Deciding who can gain access to what is determined by business logic, so access control flaws are often caused by insecure design or implementation not keeping up with changing business requirements.
Access control mechanisms ensure that users can only perform actions and access resources within their designated permissions. These controls are categorized into three primary types: vertical, horizontal, and context-dependent access controls. Each of these access control mechanisms plays a vital role in maintaining security, enforcing business policies, and preventing unauthorized access or actions in web applications.
Vertical access controls enforce tiered permissions, restricting sensitive functionalities to specific user roles.
With this approach, different categories of users have distinct levels of access. For instance, an administrator might have privileges to modify or delete any user account, whereas a standard user is limited to managing only their own profile. These controls help enforce security principles like least privilege and separation of duties, ensuring users only access what is necessary for their role.
Horizontal access controls regulate access to data and resources among users of the same role or level.
For example, in an online banking platform, users can only view and manage their own accounts but are restricted from accessing another user’s financial details. These controls ensure data isolation and privacy, preventing unauthorized data access within the same permission level.
Context-dependent access controls adapt based on application state or user interactions, ensuring actions occur in the correct sequence.
For example, an e-commerce platform might restrict users from modifying their shopping cart after finalizing payment. Similarly, an application might prevent users from submitting the same form multiple times to reduce fraud risks or prevent data inconsistencies.
Attackers exploit weak or missing access control mechanisms in various ways. The Broken Access Control category in the OWASP Top 10 (A01:2021) encompasses over 30 distinct types of weaknesses (CWEs), spanning missing or misconfigured authorization checks, predictable identifiers, insecure default settings, excessive privileges, flawed enforcement logic in workflows or APIs and more. Attacks targeting such weaknesses can use one or many of the following exploit techniques.
Vertical privilege escalation happens when a user gains access to a higher level of functionality that should be restricted. For example, if a regular user can navigate to an admin dashboard and delete accounts, they have successfully exploited a vertical privilege escalation flaw.
One of the simplest causes of vertical privilege escalation is unprotected administrative functionality. Some applications fail to enforce role-based access control (RBAC) and make administrative features accessible via direct URLs.
For example, an application may host an admin panel at https://insecure-website.com/admin
. If the application does not check whether the requesting user is really an administrator, anyone with knowledge of the URL can access it. Worse, some applications may inadvertently disclose these URLs in publicly available files, such as robots.txt
to prevent crawlers from indexing internal app functionality. Even if the URL isn’t directly exposed, attackers can use brute-force techniques to guess common admin paths and exploit weak access controls.
Some applications may try to protect sensitive pages by assigning obscure URLs instead of enforcing proper authentication, for example:
https://insecure-website.com/administrator-panel-xy329
While this may seem secure at first glance, attackers have many ways to discover the hidden URL:
A proper security model requires explicit authentication and authorization checks, not just hiding endpoints.
Some applications put user privileges in modifiable request parameters, allowing attackers to escalate their permissions by altering values in:
For example, a user might see the following URL after logging in:
https://insecure-website.com/login/home.jsp?role=1
If the application determines privileges solely based on this parameter, an attacker could try modifying role=1
to role=2
or another value and potentially gain unauthorized access.
Some applications enforce access control at the platform level by restricting certain URLs or HTTP methods based on user roles. However, misconfigurations can allow such safeguards to be bypassed.
For instance, an application might restrict users with a manager role from executing a DELETE
request on the user management page:
DENY: POST, /admin/deleteUser, managers
If the access control mechanism is misconfigured, attackers might bypass this by:
X-Original-URL
GET
instead of POST
) to execute unauthorized actionsApplications may inconsistently enforce case sensitivity or path variations during access control checks, opening up security gaps. For example, an application may restrict access to an exact URL like:
/admin/deleteUser
However, if access control rules do not account for variations and wildcards and do not match server settings for routing, an attacker may bypass restrictions using tricks like:
/ADMIN/DELETEUSER/admin/deleteUser.anything/admin/deleteUser/
Framework-specific misconfigurations (such as useSuffixPatternMatch
in Spring-based applications) can further increase attack surfaces.
Horizontal privilege escalation occurs when a user gains access to another user’s resources instead of their own. Consider an application where users can view their profile using:
https://insecure-website.com/myaccount?id=123
An attacker may modify the id parameter to another user’s ID:
https://insecure-website.com/myaccount?id=456
If the application does not validate ownership, the attacker accesses someone else’s data. This is a classic insecure direct object reference (IDOR) vulnerability.
Some applications attempt to mitigate IDOR attacks by using randomized or hashed user identifiers (e.g. GUIDs). While this makes brute-force attacks harder, these identifiers can still leak in other areas, such as:
If an attacker can collect valid user identifiers from these or other sources, they could still execute IDOR-based privilege escalation.
An attacker can escalate from horizontal to vertical privilege escalation by compromising a privileged user account. For example, say an application accepts password reset requests based on a simple query parameter:
https://insecure-website.com/reset-password?id=789
If an attacker can modify the id parameter to an admin user’s ID and the request is not verified further, they could reset the admin password and gain full system control.
Business applications often implement multi-step workflows, such as user account modifications or payment processes. If some steps enforce access control while others do not, attackers can skip the controlled steps and directly invoke privileged actions.
For example:
If step 3 includes the results of previous steps and an attacker is able to skip steps 1 and 2 and directly submit a forged request to step 3, they will be able to bypass security controls.
Some applications rely on the Referer
header to determine access. For example, an application might use the Referer
header to enforce access control for users coming to /admin
from a different page but allow access to operations such as /admin/deleteUser
if the user is already coming from /admin
.
Since attackers can often manipulate headers, a forged request with a Referer
header that says /admin
may let them bypass such access restrictions.
Some applications restrict access based on the user’s geographical location (especially common for financial services and media streaming). However, attackers can circumvent these controls using:
Without server-side verification and multi-factor authentication, location-based restrictions can be easily bypassed.
Real-world attacks involving broken access control highlight the severity of this class of weaknesses:
Because broken access control is such a broad category of security risks, there is no single remedy for all possible access control flaws. The only way to mitigate the associated risks is to deeply integrate and enforce access-related security controls alongside secure application design principles that include access control as a fundamental aspect of design.
The Principle of Least Privilege ensures that users and systems only have the minimum necessary access required to perform their functions. This helps reduce the attack surface and limits potential damage from compromised accounts by restricting escalation options.
Regularly reviewing and auditing access control policies helps identify misconfigurations and unauthorized privilege escalations. Security teams should:
Only adding access control as an afterthought at a later stage of development greatly increases the risk of broken access control vulnerabilities in production. To prevent this, standardize and follow secure design practices:
Access control vulnerabilities—such as directory traversal, cross-site request forgery (CSRF), and insecure direct object references (IDOR)—are among the most common and dangerous issues in modern web applications. These flaws often arise from subtle implementation oversights that only surface during real-world usage. A DAST-first approach continuously scans running applications during development and in production, giving security teams visibility into actual exploit paths. Unlike tools that rely on code analysis, DAST tools work by interacting with live applications just as an attacker would, surfacing runtime issues that truly increase business risk.
Where static application security testing (SAST) can generate long lists of theoretical vulnerabilities without clear exploitability, dynamic testing through DAST focuses on what can actually be attacked. This not only cuts through the noise of false positives but also enables faster, more confident remediation. Invicti’s proof-based scanning takes this further by automatically confirming vulnerabilities with safe proof-of-exploit, eliminating guesswork for developers and freeing up security resources. With DAST-first, organizations can move beyond finding “everything” to fixing what matters—reducing real-world risk without slowing down development.
The OWASP Top 10 lists broken access control as the #1 application security risk category for a very good reason: access control is the foundation of all cybersecurity. Attackers want to get access to your data and systems by any means possible, and access control failures simply leave the door open for them. By enforcing strict access policies, implementing least privilege principles, and performing regular vulnerability scanning alongside formal audits, businesses can minimize exposure to unauthorized access and protect their sensitive assets with a DAST-first approach.
Get a proof-of-concept demo to see DAST-first AppSec in action!