Broken Access Control: The Number One Web Application Risk
Broken access control has sat at the top of the OWASP Top 10 since the 2021 update. It replaced injection as the single most common and impactful web application vulnerability class. The frequency of its appearance in real-world assessments, and the severity of its consequences, make it the risk that web application security should centre on.
Access control is the mechanism that determines who can do what within an application. It controls which users can read, write, or delete data, which functions are available based on role, and which resources are accessible at all. When access control fails, data that should be private becomes accessible to unauthorised parties and in some cases, users gain the ability to perform actions reserved for administrators.
How Broken Access Control Manifests
Insecure direct object references (IDOR) are the most common manifestation. An application generates a URL or API endpoint that includes an identifier for a specific resource /account/12345, /document/67890. If the application does not verify that the requesting user owns resource 12345 before serving it, any user who knows or can guess that ID can access the data.
Horizontal privilege escalation allows users to access resources belonging to other users at the same privilege level. Vertical privilege escalation allows users to perform actions reserved for higher-privilege roles accessing admin panels, executing privileged API endpoints, or modifying access control lists themselves.
Path traversal vulnerabilities allow attackers to read files outside the intended scope by manipulating file paths in application requests. A vulnerable file download feature might allow access to configuration files, database credentials, or system files that the application has no business serving.
Why It Is So Hard to Fix Comprehensively
Access control failures are difficult to catch with automated scanning. A scanner can test whether an admin endpoint returns a 403 for unauthenticated requests. It cannot test whether a user with account ID 100 can access the data belonging to account ID 101 because that requires understanding the application’s data model and creating test accounts with known relationships.
Web application penetration testing by an experienced tester who approaches the application the way an attacker would is how these issues are reliably found. The tester maps the application’s data objects, identifies all exposed identifiers, and systematically tests whether authorisation is correctly enforced for each.
In large applications with complex data models and multiple user roles, comprehensive testing is time-consuming. This is why access control vulnerabilities persist they require depth of testing that is not always allocated.
Prevention Through Secure Design
The most effective approach to broken access control is to build it correctly from the start. This means defining authorisation requirements during design, implementing server-side enforcement consistently across all endpoints, and defaulting to denial when a permission check is ambiguous.
Centralised authorisation logic is easier to audit and test than access control checks scattered across hundreds of functions. If your application enforces access control in one place, a single review confirms its correctness. If it is scattered, every endpoint needs individual verification.
Unit tests that specifically validate authorisation behaviour confirming that user A cannot access user B’s data catch regressions before they reach production. These tests are quick to write and run, and they provide ongoing assurance that changes to business logic have not broken access control elsewhere.
If your web applications have not been tested for broken access control recently, getting a penetration test quote is the right starting point. Given that this is the most common and impactful vulnerability class, the probability of finding meaningful issues is high.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd