WHAT IS BROKEN ACCESS CONTROL?
Broken access control is #5 on the latest (2017) OWASP Top 10 list. Originally a combination of two Top 10 vulnerabilities from the 2013 list (Insecure Direct Object References and Missing Function Level Access Control), broken access control allows attackers to bypass authorization safeguards and perform tasks as if they were privileged users.
When working correctly, access control is the way a web application enforces policies that manage access to content and functions, granting authorization to some users and denying it to others. Application access policies can be “broken” when developers misconfigure functional-level access, resulting in flaws or gaps that deny access to legitimate users and let attackers assume the role of users or administrators outside of an application’s intended permissions. Broken access control failures can lead to unauthorized information disclosure, modification or destruction of data, and the performance of a business function that deviates from its intended use.