Broken access control: The leading OWASP Top 10 security risk

Preventing broken access control vulnerabilities TLDR

Broken access control vulnerabilities are a vast family of web application security flaws that can expose sensitive data, compromise accounts, and grant unauthorized privileges. To prevent and mitigate these risks, organizations should:

• Implement server-side authentication and authorization checks
• Enforce role-based access control (RBAC) and the principle of least privilege to limit privilege escalation potential
• Regularly audit access logs for anomalies
• Use multi-factor authentication (MFA) to minimize the risk of unauthorized access
• Test for IDOR, directory traversal, and other URL-based access flaws using DAST scanners and manual penetration testing

Understanding access control

Access control refers to the enforcement of restrictions that define who or what is permitted to interact with specific resources or perform particular actions. In web applications, access control relies on three fundamental mechanisms:

• Authentication: Verifies a user’s identity to ensure they are who they claim to be
• Session management: Tracks and associates subsequent HTTP requests with the authenticated user
• Authorization: Checks whether the authenticated user has permission to execute a given action or retrieve a resource

Access control issues remain a widespread class of severe security weaknesses. Implementing effective access control requires balancing business, organizational, and legal constraints with technical enforcement. Deciding who can gain access to what is determined by business logic, so access control flaws are often caused by insecure design or implementation not keeping up with changing business requirements.

Types of access control in web applications

Access control mechanisms ensure that users can only perform actions and access resources within their designated permissions. These controls are categorized into three primary types: vertical, horizontal, and context-dependent access controls. Each of these access control mechanisms plays a vital role in maintaining security, enforcing business policies, and preventing unauthorized access or actions in web applications.

Vertical access controls

Vertical access controls enforce tiered permissions, restricting sensitive functionalities to specific user roles.

With this approach, different categories of users have distinct levels of access. For instance, an administrator might have privileges to modify or delete any user account, whereas a standard user is limited to managing only their own profile. These controls help enforce security principles like least privilege and separation of duties, ensuring users only access what is necessary for their role.

Horizontal access controls

Horizontal access controls regulate access to data and resources among users of the same role or level.

For example, in an online banking platform, users can only view and manage their own accounts but are restricted from accessing another user’s financial details. These controls ensure data isolation and privacy, preventing unauthorized data access within the same permission level.

Context-dependent access controls

Context-dependent access controls adapt based on application state or user interactions, ensuring actions occur in the correct sequence.

For example, an e-commerce platform might restrict users from modifying their shopping cart after finalizing payment. Similarly, an application might prevent users from submitting the same form multiple times to reduce fraud risks or prevent data inconsistencies.

Types of attacks exploiting broken access control 

Attackers exploit weak or missing access control mechanisms in various ways. The Broken Access Control category in the OWASP Top 10 (A01:2021) encompasses over 30 distinct types of weaknesses (CWEs), spanning missing or misconfigured authorization checks, predictable identifiers, insecure default settings, excessive privileges, flawed enforcement logic in workflows or APIs and more. Attacks targeting such weaknesses can use one or many of the following exploit techniques.

Privilege escalation exploits

Vertical privilege escalation

Vertical privilege escalation happens when a user gains access to a higher level of functionality that should be restricted. For example, if a regular user can navigate to an admin dashboard and delete accounts, they have successfully exploited a vertical privilege escalation flaw.

Exposed administrative features

One of the simplest causes of vertical privilege escalation is unprotected administrative functionality. Some applications fail to enforce role-based access control (RBAC) and make administrative features accessible via direct URLs.

For example, an application may host an admin panel at https://insecure-website.com/admin. If the application does not check whether the requesting user is really an administrator, anyone with knowledge of the URL can access it. Worse, some applications may inadvertently disclose these URLs in publicly available files, such as robots.txt to prevent crawlers from indexing internal app functionality. Even if the URL isn’t directly exposed, attackers can use brute-force techniques to guess common admin paths and exploit weak access controls.

Attempted security through obscurity

Some applications may try to protect sensitive pages by assigning obscure URLs instead of enforcing proper authentication, for example:

https://insecure-website.com/administrator-panel-xy329

While this may seem secure at first glance, attackers have many ways to discover the hidden URL:

• JavaScript exposure: If the application references the URL in client-side scripts, it becomes visible to all users.
• Network traffic inspection: Attackers can monitor requests to detect sensitive pages.
• Wordlist brute-forcing: Automated tools can scan for common naming patterns.
• Forced enumeration: If part of the URL is known, as in the example above, the “secret” part can be found by enumeration.

A proper security model requires explicit authentication and authorization checks, not just hiding endpoints.

Exploiting access control vulnerabilities via request manipulation

Parameter-based access control bypass

Some applications put user privileges in modifiable request parameters, allowing attackers to escalate their permissions by altering values in:

• Hidden form fields
• Cookies
• Query strings

For example, a user might see the following URL after logging in:

https://insecure-website.com/login/home.jsp?role=1

If the application determines privileges solely based on this parameter, an attacker could try modifying role=1 to role=2 or another value and potentially gain unauthorized access.

Exploiting platform misconfigurations

Some applications enforce access control at the platform level by restricting certain URLs or HTTP methods based on user roles. However, misconfigurations can allow such safeguards to be bypassed.

For instance, an application might restrict users with a manager role from executing a DELETE request on the user management page:

DENY: POST, /admin/deleteUser, managers

If the access control mechanism is misconfigured, attackers might bypass this by:

• Overriding the request URL using headers like X-Original-URL
• Using alternative HTTP methods (e.g. GET instead of POST) to execute unauthorized actions

Circumventing URL-based access restrictions

Applications may inconsistently enforce case sensitivity or path variations during access control checks, opening up security gaps. For example, an application may restrict access to an exact URL like:

/admin/deleteUser

However, if access control rules do not account for variations and wildcards and do not match server settings for routing, an attacker may bypass restrictions using tricks like:

/ADMIN/DELETEUSER
/admin/deleteUser.anything
/admin/deleteUser/

Framework-specific misconfigurations (such as useSuffixPatternMatch in Spring-based applications) can further increase attack surfaces.

Horizontal privilege escalation to access other users’ data

User ID manipulation

Horizontal privilege escalation occurs when a user gains access to another user’s resources instead of their own. Consider an application where users can view their profile using:

https://insecure-website.com/myaccount?id=123

An attacker may modify the id parameter to another user’s ID:

https://insecure-website.com/myaccount?id=456

If the application does not validate ownership, the attacker accesses someone else’s data. This is a classic insecure direct object reference (IDOR) vulnerability.

Obfuscated user identifiers

Some applications attempt to mitigate IDOR attacks by using randomized or hashed user identifiers (e.g. GUIDs). While this makes brute-force attacks harder, these identifiers can still leak in other areas, such as:

• User messages
• Public API responses
• System logs

If an attacker can collect valid user identifiers from these or other sources, they could still execute IDOR-based privilege escalation.

Combining horizontal and vertical privilege escalation

An attacker can escalate from horizontal to vertical privilege escalation by compromising a privileged user account. For example, say an application accepts password reset requests based on a simple query parameter:

https://insecure-website.com/reset-password?id=789

If an attacker can modify the id parameter to an admin user’s ID and the request is not verified further, they could reset the admin password and gain full system control.

Access control weaknesses in multi-step processes

Business applications often implement multi-step workflows, such as user account modifications or payment processes. If some steps enforce access control while others do not, attackers can skip the controlled steps and directly invoke privileged actions.

For example:

1. Step 1 (properly protected): Load the account modification form 
2. Step 2 (properly protected): Submit changes 
3. Step 3 (not properly protected): Confirm changes

If step 3 includes the results of previous steps and an attacker is able to skip steps 1 and 2 and directly submit a forged request to step 3, they will be able to bypass security controls.

Referrer-based access control flaws

Some applications rely on the Referer header to determine access. For example, an application might use the Referer header to enforce access control for users coming to /admin from a different page but allow access to operations such as /admin/deleteUser if the user is already coming from /admin.

Since attackers can often manipulate headers, a forged request with a Referer header that says /admin may let them bypass such access restrictions.

Location-based access control bypass

Some applications restrict access based on the user’s geographical location (especially common for financial services and media streaming). However, attackers can circumvent these controls using:

• VPNs or proxy servers to spoof locations.
• Client-side geolocation tampering by modifying browser settings.
• Manipulating HTTP request headers to fake their origin.

Without server-side verification and multi-factor authentication, location-based restrictions can be easily bypassed.

Real-world examples of data breaches caused by broken access control 

Real-world attacks involving broken access control highlight the severity of this class of weaknesses:

• Facebook (2013): A researcher discovered a vulnerability that allowed any user to delete photos from any account without permission, exposing a critical flaw in Facebook’s access control policies.
• Instagram (2019): An IDOR vulnerability enabled attackers to view private posts and stories by manipulating user IDs in API requests.
• GitHub (2022): A privilege escalation bug allowed users to gain higher access levels within repositories without authorization.
• Optus (2023): IDOR allowed a malicious hacker to directly access and enumerate nearly 10 million telco customer records.

How to prevent broken access control vulnerabilities

Because broken access control is such a broad category of security risks, there is no single remedy for all possible access control flaws. The only way to mitigate the associated risks is to deeply integrate and enforce access-related security controls alongside secure application design principles that include access control as a fundamental aspect of design.

Follow the Principle of Least Privilege (PoLP)

The Principle of Least Privilege ensures that users and systems only have the minimum necessary access required to perform their functions. This helps reduce the attack surface and limits potential damage from compromised accounts by restricting escalation options.

Use secure session management and authentication

• Implement multi-factor authentication (MFA) to enhance identity verification.
• Use secure session tokens and proper timeout settings to prevent session hijacking.
• Enforce strong password policies and implement CAPTCHA mechanisms to prevent brute-force attacks.

Perform regular access control audits and reviews

Regularly reviewing and auditing access control policies helps identify misconfigurations and unauthorized privilege escalations. Security teams should:

• Conduct automated access control testing.
• Perform role-based access control (RBAC) audits.
• Review log files and access control events for suspicious activity.

Enforce proper error handling and logging

• Avoid revealing excessive or sensitive information in error messages—a message like “Access Denied” gives an attacker much less useful information than “Invalid User ID.”
• Implement secure logging to track access control violations and potential attacks.
• Use intrusion detection systems (IDS) to monitor access attempts and anomalies.

Make access control a secure design consideration

Only adding access control as an afterthought at a later stage of development greatly increases the risk of broken access control vulnerabilities in production. To prevent this, standardize and follow secure design practices:

• Define access control requirements during architecture and threat modeling.
• Use centralized, server-side enforcement for all permission checks.
• Design with role-based access and least privilege as defaults.

Continuously test for access control vulnerabilities in development and production with a DAST-first approach

Access control vulnerabilities—such as directory traversal, cross-site request forgery (CSRF), and insecure direct object references (IDOR)—are among the most common and dangerous issues in modern web applications. These flaws often arise from subtle implementation oversights that only surface during real-world usage. A DAST-first approach continuously scans running applications during development and in production, giving security teams visibility into actual exploit paths. Unlike tools that rely on code analysis, DAST works by interacting with live applications just as an attacker would, surfacing runtime issues that truly increase business risk.

Where static application security testing (SAST) can generate long lists of theoretical vulnerabilities without clear exploitability, dynamic testing through DAST focuses on what can actually be attacked. This not only cuts through the noise of false positives but also enables faster, more confident remediation. Invicti’s proof-based scanning takes this further by automatically confirming vulnerabilities with safe proof-of-exploit, eliminating guesswork for developers and freeing up security resources. With DAST-first, organizations can move beyond finding “everything” to fixing what matters—reducing real-world risk without slowing down development.

Conclusion

The OWASP Top 10 lists broken access control as the #1 application security risk category for a very good reason: access control is the foundation of all cybersecurity. Attackers want to get access to your data and systems by any means possible, and access control failures simply leave the door open for them. By enforcing strict access policies, implementing least privilege principles, and performing regular vulnerability scanning alongside formal audits, businesses can minimize exposure to unauthorized access and protect their sensitive assets with a DAST-first approach.

Get a proof-of-concept demo to see DAST-first AppSec in action!

Frequently asked questions about broken access control