Broken Access Control Vulnerability Basics | A01 – OWASP TOP 10 2021

Define Broken Access Control

Broken Access Control : In a web application the broken access control vulnerability arises when the application fails to properly validate authorization after the user has been authenticated.

Difference between authentication and access control

  • Authentication identifies the user and confirms that they are who they say they are.
  • Authorization (Access control) determines whether the user is allowed to carry out the action that they are attempting to perform.

Broken access control vulnerability allows an attacker to bypass authorization safeguards and allow him/her to access private data or performs tasks/functions as privileged user (Vertical privilege escalation) or as another user with same privilege (horizontal privilege escalation).

Access controls refers to a system that controls access to information or functionality. For example a regular user of a website can only access certain area/pages of a website and an administrator can access all the administrative pages and all user details etc. And if access control is not properly implemented then an unauthenticated or unauthorized user can access to sensitive data, files or administrative pages etc.

Broken Access control flaws typically leads to unauthorized information disclosure, modification, destruction of data, performing a business function outside the user’s limits etc. Some Common Access control vulnerabilities are :

Also note that it is an authorization issue not authentication issue, It is different then broken authentication.

Privilege Escalation

Privilege escalation means a user receives privileges they are not entitled to. These privileges can be used to delete files, view private information or modify them. It usually occurs when a system has a bug that allows security to be bypassed or has flawed design assumptions about how it will be used. Privilege escalation occurs in two forms :

  • Vertical Privilege Escalation : Where a lower privilege user or application, accesses functions or content reserved for higher privilege users or applications (e.g. Internet Banking users can access site administrative functions or the password for a smartphone can be bypassed.).
  • Horizontal Privilege Escalation : Where a normal user accesses functions or content reserved for other normal users (e.g. Internet Banking User A accesses the Internet bank account of User B.

Broken Access Control vulnerabilities


A Direct Object Reference is a web application design method in which entity names are used to identify application-controlled resources that are passed in URLs or request parameters. So IDOR or Insecure Direct Object Reference vulnerability occurs when a application exposes a reference to an internal implementation object, which reveals the real identifier used to access the elements on backend site. IDOR arises due to weak access control implementation, which could lead to access to sensitive private data, files, sensitive functions etc.

For example suppose there is a website which allows to users to setup profile like linkedin and share info about users, and logged in get the private details of their own account using below link

Now if a malicious user temper the uid parameter by changing it to 1201 and get access to another user private datails then in this case the application is vulnerable to IDOR (with horizontal privilege escalation), and by increasing / decreasing the uid values attacker can access all users private details.

Now lets see some example of Broken access control on the test lab environment. To setup your lab look at our previous blog posts [How to Setup Web Application Security Testing Environment].

IDOR example in XVWA

In the IDOR page there are only 5 items are accessible through drop down menu

but, by incrementing the item parameter on url we can access the more items which is not listed on the drop down list.


The CSRF or Cross Site Request Forgery is a web vulnerability, where an attacker tricks the victim’s browser to send forged requests to a website which performs certain actions on behalf of the logged in user or the victim. The web server processing the request executes the desired actions of the request, as it looks similar to any normal requests generated by the users browser. For more details about CSRF checkout the post CSRF Vulnerability Explained.

CORS Misconfiguration

Misconfigured CORS can be leveraged to bypass CORS (Cross Origin Resource Sharing) on web applications. For more detailed explanations checkout CORS Misconfiguration Vulnerability Explained.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.