WHAT IS BROKEN ACCESS CONTROL?

Broken access control has moved up from #5 in 2017 to #1 in 2021 in the OWASP Top 10 list of most serious web application security risks. The 34 Common Weakness Enumerations mapped to Broken Access Control had more occurrences in applications than any other category. Originally a combination of two Top 10 vulnerabilities from the 2013 list (Insecure Direct Object References and Missing Function Level Access Control), broken access control allows attackers to bypass authorization safeguards and perform tasks as if they were privileged users.

When working correctly, access control is the way a web application enforces policies that manage access to content and functions, granting authorization to some users and denying it to others. Application access policies can be “broken” when developers misconfigure functional-level access, resulting in flaws or gaps that deny access to legitimate users and let attackers assume the role of users or administrators outside of an application’s intended permissions. Broken access control failures can lead to unauthorized information disclosure, modification or destruction of data, and the performance of a business function that deviates from its intended use.

Preventing Broken Access Control

Trusted server-side code or server-less API, where an attacker can't modify the access control check or metadata, is the only effective access control.