[{"data":1,"prerenderedAt":177},["ShallowReactive",2],{"blog-vulnerabilities/broken-access-control":3},{"id":4,"title":5,"body":6,"category":156,"date":157,"dateModified":158,"description":159,"draft":160,"extension":161,"faq":162,"featured":160,"headerVariant":163,"image":162,"keywords":162,"meta":164,"navigation":165,"ogDescription":166,"ogTitle":162,"path":167,"readTime":168,"schemaOrg":169,"schemaType":170,"seo":171,"sitemap":172,"stem":173,"tags":174,"twitterCard":175,"__hash__":176},"blog/blog/vulnerabilities/broken-access-control.md","Broken Access Control Explained",{"type":7,"value":8,"toc":145},"minimark",[9,16,21,44,49,64,68,77,81,98,114,133],[10,11,12],"tldr",{},[13,14,15],"p",{},"Broken access control is the #1 security risk according to OWASP. It occurs when users can access data or perform actions beyond their permissions. This includes viewing other users' data (IDOR), accessing admin functions, and bypassing checks. Always verify authorization on the server for every protected resource.",[17,18,20],"h2",{"id":19},"types-of-access-control-failures","Types of Access Control Failures",[22,23,24,32,38],"ul",{},[25,26,27,31],"li",{},[28,29,30],"strong",{},"Vertical:"," Regular user accesses admin functions",[25,33,34,37],{},[28,35,36],{},"Horizontal:"," User A accesses User B's data",[25,39,40,43],{},[28,41,42],{},"Context-dependent:"," Skipping steps in a multi-step process",[45,46,48],"h3",{"id":47},"common-examples","Common Examples",[50,51,53],"code-block",{"label":52},"Broken access control patterns",[54,55,60],"pre",{"className":56,"code":58,"language":59},[57],"language-text","// IDOR: No ownership check\napp.get('/api/orders/:id', (req, res) => {\n  const order = await Order.findById(req.params.id);\n  res.json(order);  // Anyone can view any order!\n});\n\n// Missing admin check\napp.delete('/api/users/:id', (req, res) => {\n  await User.deleteById(req.params.id);\n  // No check if requester is admin!\n});\n\n// Frontend-only protection\n// Hiding the \"Admin\" button doesn't secure /admin routes\n","text",[61,62,58],"code",{"__ignoreMap":63},"",[17,65,67],{"id":66},"how-to-fix-it","How to Fix It",[50,69,71],{"label":70},"Proper access control",[54,72,75],{"className":73,"code":74,"language":59},[57],"// Always verify ownership\napp.get('/api/orders/:id', async (req, res) => {\n  const order = await Order.findById(req.params.id);\n\n  // Check ownership\n  if (order.userId !== req.user.id) {\n    return res.status(403).json({ error: 'Forbidden' });\n  }\n\n  res.json(order);\n});\n\n// Use middleware for role checks\nconst requireAdmin = (req, res, next) => {\n  if (req.user.role !== 'admin') {\n    return res.status(403).json({ error: 'Admin required' });\n  }\n  next();\n};\n\napp.delete('/api/users/:id', requireAdmin, deleteUser);\n",[61,76,74],{"__ignoreMap":63},[45,78,80],{"id":79},"best-practices","Best Practices",[22,82,83,86,89,92,95],{},[25,84,85],{},"Deny by default, explicitly grant access",[25,87,88],{},"Check authorization on every request, not just UI",[25,90,91],{},"Use middleware for consistent enforcement",[25,93,94],{},"Log access control failures for monitoring",[25,96,97],{},"Use UUIDs instead of sequential IDs",[99,100,101,108],"faq-section",{},[102,103,105],"faq-item",{"question":104},"Is hiding UI elements enough?",[13,106,107],{},"No. Attackers can call APIs directly. Server-side authorization checks are required. UI hiding is just for user experience, not security.",[102,109,111],{"question":110},"How do I test for access control issues?",[13,112,113],{},"Log in as different user types and try to access each other's resources. Use tools like Burp Suite to modify request parameters and test authorization on every endpoint.",[115,116,117,123,128],"related-articles",{},[118,119],"related-card",{"description":120,"href":121,"title":122},"Specific access control bug","/blog/vulnerabilities/idor","IDOR",[118,124],{"description":125,"href":126,"title":127},"Related issue","/blog/vulnerabilities/api-authentication-bypass","Auth Bypass",[118,129],{"description":130,"href":131,"title":132},"Data manipulation","/blog/vulnerabilities/mass-assignment","Mass Assignment",[134,135,138,142],"cta-box",{"href":136,"label":137},"/","Start Free Scan",[17,139,141],{"id":140},"test-your-access-controls","Test Your Access Controls",[13,143,144],{},"Our scanner checks for broken access control across your API.",{"title":63,"searchDepth":146,"depth":146,"links":147},2,[148,152,155],{"id":19,"depth":146,"text":20,"children":149},[150],{"id":47,"depth":151,"text":48},3,{"id":66,"depth":146,"text":67,"children":153},[154],{"id":79,"depth":151,"text":80},{"id":140,"depth":146,"text":141},"vulnerabilities","2026-01-12","2026-01-27","Broken access control is the #1 web security risk. It happens when users can access resources or actions they should not be authorized for. Learn how to fix it.",false,"md",null,"red",{"noindex":165},true,"Learn about broken access control, the #1 web security risk.","/blog/vulnerabilities/broken-access-control","6 min read","[object Object]","TechArticle",{"title":5,"description":159},{"loc":167},"blog/vulnerabilities/broken-access-control",[],"summary_large_image","cH9yO9g_v7td0aDYXcyJsCw1OfQbnGLh37pLfgBWHFM",1775843918547]