What is Broken Access Control? Risks and Prevention

What is Broken Access Control? Risks and Prevention

You've implemented two-factor authentication, password hashing, and HTTPS across the board, yet your application still gets breached. The culprit may be a commonly overlooked vulnerability: broken access control. Ranked #1 in the OWASP Top 10, it affects applications of all sizes, from startups to large enterprises. This article explains what broken access control is, its most common forms, its real-world impact on businesses, and effective prevention measures to fully protect your system.

1. What is broken access control?

Broken access control is a security vulnerability that occurs when an application's access control mechanism is misconfigured or bypassed, allowing users to perform actions or access resources outside their granted permissions.

In simpler terms, access control is the set of rules that determines who is allowed to do what within a system. When this mechanism breaks down, a regular user may be able to view another user's data, perform functions intended for administrators, or modify information they have no right to change.

For example, a regular customer account accesses the /admin/dashboard path and the system does not reject the request because there is no server-side permission check. This is a typical manifestation of broken access control.

Broken access control is ranked #1 by OWASP in the Top 10 web application security vulnerabilities since 2021, overtaking injection attacks. This reflects the high frequency and severe impact of this vulnerability class in practice.

Broken access control 1.png
What is broken access control?

2. Common types of broken access control

Broken access control 2.png
Classification of broken access control

Broken access control is not a single vulnerability but a group of flaws with many variants. Similar to SQL injection attacks, these vulnerabilities exploit weaknesses at the application layer and can cause serious consequences if not detected early.

Vulnerability TypeDescriptionReal-world ExampleSeverity
Vertical privilege escalationRegular user performs admin-level actionsUser accesses /admin/delete-user pageCritical
Horizontal privilege escalationUser accesses resources belonging to another user at the same permission levelUser A views User B's orders by modifying the IDHigh
IDORDirect reference to internal objects without access checks?invoice_id=1042 changed to 1043 to view another user's invoiceHigh
Missing function-level access controlSensitive endpoints do not enforce server-side permission checksAPI /api/export-data does not require an admin tokenHigh
CORS misconfigurationServer allows untrusted origins to send cross-domain requestsAttacker reads sensitive data from a spoofed domainMedium–High

2.1. Vertical privilege escalation

Vertical privilege escalation occurs when a user with lower permissions gains the ability to perform actions reserved for higher-privilege roles. A typical example is a customer account accessing functions such as deleting users, exporting system reports, or changing configurations that should only be available to admins. This vulnerability commonly occurs when an application only checks authentication (whether the user is logged in) but skips authorization (whether the user has permission to perform a specific action).

2.2. Horizontal privilege escalation

Horizontal privilege escalation occurs when a user accesses resources belonging to another user at the same permission level. For example, User A modifies the ID parameter in the URL from ?user_id=101 to ?user_id=102 and gains access to User B's account information, order history, or profile. This type of vulnerability is particularly dangerous in e-commerce, banking, and healthcare applications where personal data holds high value.

2.3. Insecure Direct Object Reference (IDOR)

IDOR (Insecure Direct Object Reference) is a vulnerability that occurs when an application directly uses internal identifiers such as IDs, filenames, or database keys in URLs without checking access permissions. IDOR commonly appears in APIs that are not carefully designed, particularly REST APIs using sequential numeric IDs. Users need only change the ID value to access an object belonging to someone else.

2.4. Missing function-level access control

This vulnerability occurs when sensitive functions or endpoints are not properly protected on the server side. An application may hide admin paths from the regular user interface, but an attacker can still access them directly by guessing or enumerating URLs. This flaw is often discovered through endpoint fuzzing or analysis of the application's JavaScript, where sensitive paths are sometimes exposed.

2.5. CORS misconfiguration

CORS misconfiguration occurs when a server is configured to allow requests from untrusted origins. When the CORS policy is too permissive, such as allowing all origins (*) or reflecting the request origin without validation, an attacker can create a malicious website to send requests to the target application's API and read responses containing sensitive data.

3. Business impact of broken access control

Broken access control 3.png
Business impact of broken access control

Broken access control is not purely a technical issue. When exploited, its consequences ripple across multiple layers of an organization.

3.1. Sensitive data leakage

Attackers can access and steal customer information, financial data, medical records, or confidential business intelligence. This is the most common and direct consequence of broken access control, and is particularly dangerous in industries that handle high-value personal data such as banking, insurance, and e-commerce.

3.2. Unauthorized actions

Beyond reading data, attackers can carry out destructive actions such as deleting user accounts, modifying system configurations, initiating unauthorized fund transfers, or escalating privileges to seize full control of the system. In many cases, DDoS attacks combined with broken access control allow attackers to inflict compounded damage on a business.

3.3. Compliance violations

Businesses that suffer data breaches due to broken access control risk violating critical security standards. For organizations that handle payment transactions, a PCI-DSS violation can lead to financial penalties and loss of certification. For businesses operating in markets with personal data protection regulations such as PDPA or GDPR, fines can reach millions of USD. In Vietnam, Decree 13/2023/ND-CP on personal data protection also imposes strict requirements on access control.

3.4. Long-term brand reputation damage

A serious security incident caused by broken access control is typically widely publicized, especially when user data is involved. Customer trust, once lost, is very difficult to rebuild, leading to revenue decline and significant crisis communication costs.

4. How to detect broken access control in applications

Detecting broken access control early requires a combination of different testing methods. Regular website security testing is the first step businesses should take to proactively identify vulnerabilities before they are exploited.

4.1. Manual testing

Manual testing is the most effective method for detecting broken access control because this vulnerability is heavily dependent on business logic. Testers need to create multiple accounts with different permission levels, then attempt cross-account resource and function access between those accounts.

4.2. DAST tools and penetration testing

DAST (Dynamic Application Security Testing) tools automatically send test requests to a running application to detect common vulnerabilities. Penetration testing goes deeper, simulating how a real attacker would exploit the system. Businesses should learn more about how to find website security vulnerabilities and conduct penetration tests at least once a year or after each major change to the application architecture.

4.3. Code review and permission configuration review

Code reviews focused on authorization logic help detect vulnerabilities at the development stage. Key areas to examine include: whether each endpoint enforces server-side permission checks, whether object IDs are validated against the current user, and whether CORS configuration restricts trusted origins. Integrating SAST (Static Application Security Testing) into the CI/CD pipeline enables automatic detection of insecure code patterns.

5. Effective strategies to prevent broken access control

Broken access control 4.png
How to prevent broken access control effectively?

Preventing broken access control requires building a correct authorization mechanism from the design stage, not patching it in afterward.

5.1. Principle of least privilege

Each user, process, or service should be granted only the permissions necessary to perform their specific task, nothing more. The least privilege principle limits the blast radius when an account is compromised. In practice, this means avoiding default admin grants, separating permissions by specific roles, and regularly reviewing permission lists to remove any that are no longer needed.

5.2. Deny by default

All resources and functions must deny access by default. Access is only granted when an explicit rule permits it, not the other way around. This mechanism ensures that new endpoints added to the system are not accidentally left open before their permissions are properly configured.

5.3. Server-side authorization checks, not client-dependent

All authorization checks must be performed server-side. They must never rely on client-side validation or the mere act of hiding a URL in the interface. Attackers can easily bypass any client-side check by directly manipulating requests. The server must validate each request independently, confirming whether the current user has permission to access the specific object being requested.

5.4. Logging and monitoring for abnormal access

The logging and security monitoring system must record all denied access attempts, especially unusual patterns such as: an account repeatedly attempting to access different IDs within a short time, or requests to sensitive endpoints outside normal working hours. Automated alerts when such patterns are detected help the security team respond before damage occurs.

6. How VNIS helps mitigate broken access control risks

VNIS by VNETWORK is designed to protect Web/App/API from external threats, it cannot replace directly patching broken access control vulnerabilities in code. This is a business logic vulnerability embedded deep within the application layer. A WAF cannot determine whether User A is permitted to view User B's data. For internal code, businesses must still proactively audit and fix the flaw themselves.

However, the AI WAF platform within VNIS serves as a valuable supplementary defense layer, helping mitigate risk at points where code has not yet been patched:

  • Rate limiting and IDOR brute-force detection: when an account repeatedly changes ID parameters within a short time, VNIS identifies the abnormal pattern and automatically triggers a blocking or challenge mechanism.
  • Protection for known sensitive endpoints: admin paths or internal APIs can be configured with dedicated rules in VNIS to restrict access from untrusted sources.
  • Comprehensive traffic logging and monitoring: VNIS records all requests with full detail, helping the security team detect privilege escalation behavior after an event and conduct forensic investigations.
Broken access control 5 en.png
VNIS helps mitigate broken access control risks

VNIS works most effectively when combined with secure coding practices, not as a replacement for them. If broken access control is a wall that must be built correctly from the inside out, then VNIS is the outer perimeter that buys time and limits damage while the inner wall is still being completed.

7. Conclusion

Broken access control is the most critical vulnerability in the OWASP Top 10, yet it is also entirely preventable if organizations build the correct authorization mechanism from the start. The principles of least privilege, deny by default, and server-side authorization checks are indispensable foundations.

FAQ - Frequently asked questions about broken access control

1. How is broken access control different from an authentication vulnerability?

Authentication verifies a user's identity, confirming who you are. Broken access control occurs after authentication and governs what you are allowed to do. A system can have strong authentication such as two-factor authentication and password hashing, yet still have broken access control if, once logged in, users can access resources outside their permitted scope.

2. Where does OWASP rank broken access control?

According to the OWASP Top 10 2021 edition, broken access control is ranked number 1 (A01:2021), up from position number 5 in the 2017 edition. This rise reflects the high frequency with which it appears in real-world applications and the severity of damage when exploited.

3. Can small applications or startups be affected by broken access control?

Yes. Broken access control does not discriminate by application size. Smaller applications are often at higher risk because they typically lack dedicated security review processes and development teams with limited security expertise. Many popular web frameworks do not handle authorization automatically, placing the burden on developers to implement it correctly.

4. Can a WAF fully prevent broken access control?

A WAF is an important supplementary defense layer but cannot fully replace fixing the vulnerability at the code level. A WAF, especially a next-generation AI WAF, can detect and block known attack patterns, but broken access control vulnerabilities rooted in complex business logic sometimes require direct patching in code. The best strategy is to combine both: secure coding and a WAF such as VNIS.

5. How often should broken access control testing be performed?

Broken access control testing should be integrated into the regular development process through code reviews and SAST within the CI/CD pipeline. In addition, in-depth website security assessments should be conducted at least once a year and are mandatory after every major architectural change, new feature addition, or modification to the permission structure.

RELATED POST

Sitemap HTML