OWASP Broken Access Control Interview Questions for AppSec and VAPT Professionals
Broken Access Control is one of the most critical and frequently exploited vulnerabilities in modern web applications and APIs. It occurs when an application fails to properly enforce authorization rules, allowing users to access resources, perform actions, or view data beyond their intended privileges.
Ranked among the top risks in the OWASP Top 10, Broken Access Control can lead to unauthorized data disclosure, privilege escalation, administrative compromise, and severe business impact. As organizations increasingly adopt APIs, microservices, and cloud-native architectures, security professionals must possess a strong understanding of access control mechanisms and their associated weaknesses.
This article provide advanced interview questions and detailed answers to help experienced cybersecurity, AppSec, and VAPT professionals strengthen their understanding of Broken Access Control and prepare for technical interviews.
1. What is Broken Access Control?
Answer:
Broken Access Control occurs when an application fails to properly enforce authorization rules, allowing users to access resources, perform actions, or view data beyond their intended privileges.
Authentication answers the question "Who are you?", while authorization answers "What are you allowed to do?" Even after successful authentication, users must only access resources and functions explicitly permitted to them.
Examples include:
- Viewing another user's records.
- Accessing administrative pages.
- Modifying other users' data.
- Performing privileged operations.
Modern applications have complex authorization requirements involving users, roles, ownership, business rules, and contextual conditions. Failure to implement these checks consistently leads to Broken Access Control.
2. Why is Broken Access Control ranked as one of the most critical OWASP vulnerabilities?
Answer:
Broken Access Control can directly compromise the confidentiality, integrity, and availability of systems.
Unlike some vulnerabilities that require chaining multiple weaknesses, access control flaws often provide immediate impact:
- Unauthorized data access.
- Privilege escalation.
- Administrative compromise.
- Data modification.
- Fraudulent transactions.
- Regulatory violations.
The vulnerability is also difficult to detect because access control logic is distributed throughout applications, APIs, microservices, and backend components.
Attackers frequently exploit these flaws because they often require minimal technical complexity.
3. Differentiate Authentication and Authorization.
Answer:
Authentication verifies the identity of a user.
Examples:
- Password login.
- Multi-factor authentication.
- Biometrics.
Authorization determines what an authenticated user is permitted to do.
For example:
- User A logs in successfully.
- User A attempts to access another user's account.
- Authentication succeeds.
- Authorization fails.
Many developers incorrectly assume that authentication automatically provides authorization, leading to severe security issues.
4. Explain Horizontal and Vertical Privilege Escalation.
Answer:
Horizontal Privilege Escalation: A user accesses resources belonging to another user with the same privilege level.
Example:
- Customer A accesses Customer B's invoices.
Vertical Privilege Escalation: A low-privileged user gains access to higher privilege functions.
Example:
- Regular user accesses administrative functions.
Vertical escalation typically results in greater impact because attackers obtain administrative privileges.
5. What is IDOR?
Answer:
Insecure Direct Object Reference (IDOR) occurs when applications expose internal object identifiers and fail to verify ownership.
Example:
GET /account/12345An attacker changes:
GET /account/12346If the application does not validate ownership, another user's data becomes accessible.
IDOR vulnerabilities commonly occur in:
- APIs
- File downloads
- Profile pages
- Document portals
- Mobile applications
6. How do you test Broken Access Control during a penetration test?
Answer:
Testing includes:
User role comparison: Create multiple accounts with different privileges.
Forced browsing: Access hidden URLs directly.
Parameter manipulation
Modify:
- user IDs
- account numbers
- order numbers
API testing: Send unauthorized requests.
Session swapping: Replace tokens between users.
JWT manipulation: Modify claims and roles.
Business logic testing: Attempt unauthorized actions.
Testing must cover:
- functions
- objects
- workflows
- APIs
- administrative interfaces
7. Why should authorization never be enforced on the client side?
Answer:
Client-side controls can be bypassed easily.
Attackers can:
- modify JavaScript
- intercept requests
- use Burp Suite
- alter hidden fields
Example:
A button may be hidden for regular users:
if(user.role=="admin")An attacker can directly send the request.
The server must independently validate every request regardless of client behavior.
8. Explain Role-Based Access Control (RBAC).
Answer:
RBAC assigns permissions to predefined roles rather than individual users.
Example:
| Role | Permissions |
|---|---|
| User | View profile |
| Manager | Approve requests |
| Admin | Manage users |
Advantages:
- Easier management.
- Scalability.
- Reduced administrative overhead.
Challenges:
- Role explosion.
- Complex organizations.
- Limited flexibility.
9. Explain Attribute-Based Access Control (ABAC).
Answer:
ABAC evaluates multiple attributes:
- User department.
- Location.
- Time.
- Device.
- Classification level.
Example:
"Allow finance employees to access payroll data only from the corporate network during business hours."
ABAC provides finer control compared to RBAC but requires more complex policy management.
10. What is the Principle of Least Privilege?
Answer:
Users should receive only the minimum permissions necessary to perform their tasks.
Benefits:
- Reduces attack surface.
- Limits insider threats.
- Prevents privilege abuse.
- Minimizes damage after compromise.
Least privilege applies to:
- users
- administrators
- applications
- services
- APIs
11. How can APIs suffer from Broken Access Control?
Answer:
APIs often expose direct access to backend resources.
Common issues:
- Missing ownership validation.
- Insecure object references.
- Excessive data exposure.
- Function-level authorization failures.
- Trusting client-supplied parameters.
APIs require authorization checks on every endpoint.
12. Explain Function-Level Access Control.
Answer:
Function-level access control restricts who may execute specific functions.
Examples:
- Create user.
- Delete records.
- Approve transactions.
- Export reports.
If unauthorized users access these functions, vertical privilege escalation occurs.
13. Explain Object-Level Access Control.
Answer:
Object-level access control determines whether a user can access a specific resource.
Example:
User A:
invoice/1001User B:
invoice/1002Even if both users can access invoices, they should access only their own objects.
14. What is Mass Assignment?
Answer:
Mass assignment occurs when applications automatically map user input to internal objects.
Example:
{
"username":"user",
"role":"admin"
}If the backend trusts all supplied fields, attackers may modify sensitive attributes.
Proper input validation and allow-listing are required.
15. How do JWT vulnerabilities lead to Broken Access Control?
Answer:
Problems include:
- Role manipulation.
- Weak signing secrets.
- Unsigned tokens.
- Trusting client claims.
Example:
{
"role":"admin"
}If the server blindly trusts the token contents, privilege escalation becomes possible.
Servers must validate:
- signature
- expiration
- issuer
- claims
16. What challenges do microservices introduce?
Answer:
Microservices distribute authorization decisions across multiple services.
Problems:
- inconsistent policies
- trust assumptions
- token propagation issues
- duplicated logic
Centralized policy enforcement mechanisms help maintain consistency.
17. What logging is important for access control?
Answer:
Security logs should capture:
- failed authorization attempts
- privilege changes
- access denials
- sensitive resource access
- administrative actions
Monitoring these events enables detection of attacks and insider threats.
18. Explain Deny by Default.
Answer:
Access should be denied unless explicitly permitted.
Instead of:
Allow everything except restricted actions.
Organizations should implement:
Deny everything unless specifically authorized.
This approach reduces accidental exposure.
19. How would you remediate Broken Access Control?
Answer:
Recommended controls:
- Server-side authorization checks.
- Centralized access control mechanisms.
- Deny by default.
- Least privilege.
- Role reviews.
- Access logging.
- Secure APIs.
- Automated authorization testing.
Authorization should be enforced consistently throughout the application.
20. Describe a real-world access control vulnerability you discovered.
Sample Answer:
During a web application assessment, a user account was created with normal privileges. The application used sequential identifiers:
GET /orders/1021Changing the identifier:
GET /orders/1022returned another customer's data.
The root cause was missing ownership validation.
The issue was reported as IDOR, allowing unauthorized disclosure of sensitive customer information.
The recommendation included:
- ownership checks
- indirect object references
- authorization middleware
This demonstrates practical understanding beyond theoretical concepts.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.
