Broken Access Control Explained

January 20266 min readVulnerability Guides
Share

TL;DR

Broken access control is the #1 security risk according to OWASP. It occurs when users can access data or perform actions beyond their permissions. This includes viewing other users' data (IDOR), accessing admin functions, and bypassing checks. Always verify authorization on the server for every protected resource.

Types of Access Control Failures

  • Vertical: Regular user accesses admin functions
  • Horizontal: User A accesses User B's data
  • Context-dependent: Skipping steps in a multi-step process

Common Examples

Broken access control patterns
// IDOR: No ownership check
app.get('/api/orders/:id', (req, res) => {
  const order = await Order.findById(req.params.id);
  res.json(order);  // Anyone can view any order!
});

// Missing admin check
app.delete('/api/users/:id', (req, res) => {
  await User.deleteById(req.params.id);
  // No check if requester is admin!
});

// Frontend-only protection
// Hiding the "Admin" button doesn't secure /admin routes

How to Fix It

Proper access control
// Always verify ownership
app.get('/api/orders/:id', async (req, res) => {
  const order = await Order.findById(req.params.id);

  // Check ownership
  if (order.userId !== req.user.id) {
    return res.status(403).json({ error: 'Forbidden' });
  }

  res.json(order);
});

// Use middleware for role checks
const requireAdmin = (req, res, next) => {
  if (req.user.role !== 'admin') {
    return res.status(403).json({ error: 'Admin required' });
  }
  next();
};

app.delete('/api/users/:id', requireAdmin, deleteUser);

Best Practices

  • Deny by default, explicitly grant access
  • Check authorization on every request, not just UI
  • Use middleware for consistent enforcement
  • Log access control failures for monitoring
  • Use UUIDs instead of sequential IDs

Is hiding UI elements enough?

No. Attackers can call APIs directly. Server-side authorization checks are required. UI hiding is just for user experience, not security.

How do I test for access control issues?

Log in as different user types and try to access each other's resources. Use tools like Burp Suite to modify request parameters and test authorization on every endpoint.

Related Articles

IDOR

Specific access control bug

Auth Bypass

Related issue

Mass Assignment

Data manipulation

Test Your Access Controls

Our scanner checks for broken access control across your API.

Start Free Scan
Vulnerability Guides

Broken Access Control Explained