What is broken access control?

Broken access control occurs when an application fails to enforce restrictions on what authenticated users are allowed to do. This can lead to unauthorized access to other users' data, privilege escalation to admin roles, or performing actions outside the user's intended permissions — such as modifying or deleting resources they should not have access to.

What is the difference between authentication and authorization?

Authentication verifies identity (who are you?), while authorization determines permissions (what can you do?). A user can be properly authenticated but still access resources they shouldn't if authorization checks are missing or flawed. Many critical vulnerabilities arise from this distinction being overlooked.

How do you test for authorization vulnerabilities?

Test by accessing resources with different user roles, manipulating tokens or session cookies, changing IDs in API requests, and attempting to reach admin endpoints as a regular user. Tools like Autorize (Burp extension) automate this by replaying requests with different session tokens to detect missing authorization checks.

Authorization / Broken Access Control Resources

Authorization / Broken Access Control

Authorization vulnerabilities occur when applications fail to properly enforce access controls, allowing users to perform actions or access resources beyond their intended permissions. Broken Access Control consistently ranks as the #1 risk in the OWASP Top 10, encompassing issues like privilege escalation (both vertical and horizontal), missing function-level access controls, and insecure direct object references at the authorization layer. Unlike authentication (verifying who you are), authorization determines what you are allowed to do — and flaws here can expose entire administrative interfaces, allow users to modify other accounts, or grant elevated privileges through parameter tampering, forced browsing, or JWT manipulation. Modern applications with complex role hierarchies, microservice architectures, and API-first designs face particular challenges in maintaining consistent authorization checks across every endpoint and resource.

Date Added	Link	Excerpt

Frequently Asked Questions

What is broken access control?: Broken access control occurs when an application fails to enforce restrictions on what authenticated users are allowed to do. This can lead to unauthorized access to other users' data, privilege escalation to admin roles, or performing actions outside the user's intended permissions — such as modifying or deleting resources they should not have access to.
What is the difference between authentication and authorization?: Authentication verifies identity (who are you?), while authorization determines permissions (what can you do?). A user can be properly authenticated but still access resources they shouldn't if authorization checks are missing or flawed. Many critical vulnerabilities arise from this distinction being overlooked.
How do you test for authorization vulnerabilities?: Test by accessing resources with different user roles, manipulating tokens or session cookies, changing IDs in API requests, and attempting to reach admin endpoints as a regular user. Tools like Autorize (Burp extension) automate this by replaying requests with different session tokens to detect missing authorization checks.

Authorization / Broken Access Control

Related Topics

Frequently Asked Questions