Broken Access Control

OWASP Top 10:2025 #1 Security Risk

Found in 100% of tested applications

What is it?

Access control enforces policy such that users cannot act outside of their intended permissions. When these controls fail, it leads to unauthorized information disclosure, modification or destruction of data, or performing business functions outside the user's limits.

Critical Impact

This category has the highest number of occurrences in contributed data and the second-highest number of related CVEs with over 32,000 vulnerabilities documented.

Broken Access Control Visualization

By The Numbers

40
CWEs Mapped
20.15%
Max Incidence Rate
1.8M+
Total Occurrences
32,654
Related CVEs

Common Vulnerabilities

Least Privilege Violation

Access granted to anyone instead of specific capabilities, roles, or users (deny by default principle violated).

URL Manipulation

Bypassing access checks by modifying URLs, parameters, internal state, or using attack tools to modify API requests.

Insecure Direct Object References

Viewing or editing someone else's account by providing their unique identifier without proper authorization.

Missing API Controls

APIs lacking access controls for POST, PUT, and DELETE operations, allowing unauthorized data manipulation.

Privilege Escalation

Acting as a user without authentication or gaining privileges beyond expected (e.g., admin access).

Token Manipulation

Replaying or tampering with JWT tokens, cookies, or hidden fields to elevate privileges or abuse invalidation.

Attack Scenario Visualization

Attack Scenarios

1

SQL Parameter Tampering

Application uses unverified data in SQL queries:

pstmt.setString(1, request.getParameter('acct'));

Attacker modifies the 'acct' parameter in the URL to access any user's account without verification.

2

Forced Browsing

Attacker directly accesses admin URLs:

https://example.com/app/admin_getappInfo

If unauthenticated users or non-admins can access admin pages, it's a critical flaw.

3

Frontend-Only Security

Access control implemented only in JavaScript:

$ curl https://example.com/app/admin_getappInfo

Attackers bypass frontend restrictions using command-line tools to access protected endpoints directly.

How to Prevent

Access control is only effective when implemented in trusted server-side code or serverless APIs, where attackers cannot modify the access control check or metadata.

Deny by default - except for public resources

Implement access controls once and reuse throughout the application

Enforce record ownership rather than allowing CRUD on any record

Disable web server directory listing and remove metadata files

Log access control failures and alert admins appropriately

Implement rate limits on API and controller access

Invalidate session identifiers on logout; use short-lived JWT tokens

Security Prevention Shield
Code Security Background

Best Practices for Developers

Server-Side Implementation

Always implement access controls in trusted server-side code or serverless APIs where attackers cannot modify checks.

Testing & Validation

Include functional access control unit and integration tests in your development workflow.

Use Established Patterns

Leverage well-tested toolkits or frameworks that provide simple, declarative access controls.

Minimize CORS Usage

Carefully configure Cross-Origin Resource Sharing to prevent unauthorized API access from untrusted origins.