Quick Tutorial: Broken Access Control Vulnerability

This vulnerability type is at the top of OWASP Top 10 2021. As per OWASP, more than 90% of applications have some form of broken access control vulnerability. Broken Access Control comes under critical vulnerability and generally leads to loss of confidentiality and integrity of data.

Quick Explanation

If any user is able to perform an unintended task, that vulnerability type comes under broken access control. Here, an unintended task means the user should not allow performing that task by the application.


1) Assume a web application has two roles: normal user and admin. If a normal user is able to access the authenticated admin page by flaws such as path traversal, improper authorization, forced browsing, incorrect default permissions, etc.

In the below example, an attacker change URL to access the admin page. If it is allowed, this is a flaw that comes under this category.


2) Assume customer-related data is available on the web application via the functionality of Profile. Customers can only see their own data. If an attacker is able to see data by simple manipulation of URLs, this is a flaw that comes under this category.


Broken Access Control Prevention

Broken Access Control can be easily prevented by using appropriate checks on the server side via using code or using server-less APIs. Below are the lists of general techniques that should be used to mitigate this type of vulnerability.

  • Deny access by default for any resource.
  • Never implement different access control for each functionality. Instead, use one access control throughout the application.
  • Never rely only on tools for security. Use manual methods to test the application before deploying it in production.
  • Prepare proper documentation defining access control of the application.
  • Enable mechanism of Logging for failures. Trigger email/SMS to admin if the number of failures crosses a threshold.
  • Double-check the URLs (e.g. backup, configuration files etc.) that are not intended for the public.

Broken Access Control vs Broken Authentication

There is always confusion between broken access control and broken authentication. Sometimes, we use both interchangeably which is not correct.

Broken Access ControlBroken Authentication
Related to AuthorizationRelated to Authentication
Determine whether users have access to the resourceDetermine whether users able to prove their identity

CWE comes under Broken Access Control

CWE-201 Exposure of Sensitive Information Through Sent DataCWE-538 Insertion of Sensitive Information into Externally-Accessible File or DirectoryCWE-706 Use of Incorrectly-Resolved Name or ReferenceCWE-540 Inclusion of Sensitive Information in Source Code
CWE-1275 Sensitive Cookie with Improper SameSite AttributeCWE-863 Incorrect AuthorizationCWE-276 Incorrect Default PermissionsCWE-668 Exposure of Resource to Wrong Sphere
CWE-913 Improper Control of Dynamically-Managed Code ResourcesCWE-359 Exposure of Private Personal Information to an Unauthorized ActorCWE-922 Insecure Storage of Sensitive InformationCWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak')
CWE-59 Improper Link Resolution Before File Access ('Link Following')CWE-862 Missing AuthorizationCWE-497 Exposure of Sensitive System Information to an Unauthorized Control SphereCWE-284 Improper Access Control
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')CWE-639 Authorization Bypass Through User-Controlled KeyCWE-566 Authorization Bypass Through User-Controlled SQL Primary KeyCWE-552 Files or Directories Accessible to External Parties
CWE-200 Exposure of Sensitive Information to an Unauthorized ActorCWE-35 Path Traversal: '…/…//'CWE-377 Insecure Temporary FileCWE-285 Improper Authorization
CWE-275 Permission IssuesCWE-425 Direct Request ('Forced Browsing')CWE-23 Relative Path TraversalCWE-264 Permissions, Privileges, and Access Controls
CWE-219 Storage of File with Sensitive Data Under Web RootCWE-352 Cross-Site Request Forgery (CSRF)CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')


OWASP - Broken Access Control

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *