Broken Access Control
How Broken Access Control Undermines Enterprise Security
Solve Broken Access Control IssuesTable of Contents
WHAT IS BROKEN ACCESS CONTROL?
Broken access control has moved up from #5 in 2017 to #1 in 2021 in the OWASP Top 10 list of most serious web application security risks. The 34 Common Weakness Enumerations mapped to Broken Access Control had more occurrences in applications than any other category. Originally a combination of two Top 10 vulnerabilities from the 2013 list (Insecure Direct Object References and Missing Function Level Access Control), broken access control allows attackers to bypass authorization safeguards and perform tasks as if they were privileged users.
When working correctly, access control is the way a web application enforces policies that manage access to content and functions, granting authorization to some users and denying it to others. Application access policies can be “broken” when developers misconfigure functional-level access, resulting in flaws or gaps that deny access to legitimate users and let attackers assume the role of users or administrators outside of an application’s intended permissions. Broken access control failures can lead to unauthorized information disclosure, modification or destruction of data, and the performance of a business function that deviates from its intended use.
Preventing Broken Access Control
Trusted server-side code or server-less API, where an attacker can't modify the access control check or metadata, is the only effective access control.
Contrast is the clear customers’ choice
Contrast is named a Customers’ Choice in the 2021 Gartner Peer Insights “Voice of the Customer”: Application Security Testing report. With the highest percentage of 5-star ratings, this is the third consecutive year Contrast has received this powerful endorsement from customers.
Built for Developers. Trusted by Security.
Learn Secure Code
CROSS SITE SCRIPTING (XSS)
Learn about Cross site scripting (XSS) and how it affects your Java source code
SQL INJECTION
Learn about SWL injection and how it affects your Java source code
CLIENT SIDE INJECTION
Learn about client-side injection and how it can affect your source code