Broken Access Control occurs when an application fails to properly enforce user permissions, allowing users to access resources or perform actions beyond their authorized privileges. It is consistently ranked among the most critical web application security risks because it can lead to unauthorized access to sensitive data, administrative functions, and other users' information.

Broken Access Control can lead to:

• Data breaches
• Privilege escalation
• Account takeover
• Unauthorized transactions
• Exposure of sensitive information

Real-World Example

Imagine these URLs:

• /account/1001
• /account/1002
• /account/1003

A user logged into account 1001 changes the URL to:

• /account/1002

If the application returns another user's data without verifying ownership, access control has failed.

Common Examples

• Viewing another user's profile
• Accessing admin pages
• Downloading unauthorized documents
• Editing records owned by other users
• Changing permissions
• Accessing hidden APIs

• Enforce server-side authorization checks
• Apply least-privilege principles
• Validate access on every request
• Deny access by default
• Perform regular security testing
• Implement role-based access control (RBAC)