šŸš« A01:2021 ā€“ Broken Access Control Explained

Kohsheen RazdanKohsheen Razdan
2 min read

Imagine you walk into a hotel, and by mistake, the receptionist gives you a keycard to someone elseā€™s room. You swipe the card, walk inā€”and suddenly, you're inside a strangerā€™s room, with full access to their belongings.

Thatā€™s exactly what Broken Access Control looks like in the digital world. The system should have verified whether you were authorized for that roomā€”but it didnā€™t.
Now, imagine this happening on a banking app, a healthcare portal, or a student record system. Scary, right?

šŸ”Broken Access Control occurs when these restrictions are not properly enforced, allowing attackers to:

  • View or modify other usersā€™ data

  • Perform unauthorized operations

  • Escalate privileges

No wonder it jumped from 5th in 2017 to 1st place in 2021 in the OWASP Top 10 list! A staggering 94% of applications tested showed some form of broken access control, with an average incidence rate of 3.81%.

āš ļø Common Examples of Broken Access Control:

  • šŸ”“ Insecure Direct Object References (IDOR): Accessing or modifying someone elseā€™s account using their user ID in the URL

  • šŸšŖ Force Browsing: Accessing internal or admin pages without proper authentication or authorization

  • šŸ’„ API Exploits: APIs allowing post, put or delete operations without verifying user permissions

šŸ›”ļø How to Prevent Broken Access Control:

Access control logic must be implemented securely on the server side, where it cannot be bypassed or modified by attackers.

Here are some effective practices:

  • āœ… Enforce Ownership Checks: Validate that users can only access or modify their own data

  • šŸš«Deny by Default: Unless a resource is public, deny access unless explicitly allowed

  • šŸ“œ Log and Alert: Monitor failed access attempts and notify admins when necessary

  • šŸ§± Use Role-Based Access Control (RBAC): Clearly define what each role can and cannot do

šŸ” In short:
Broken access control is one of the most exploited vulnerabilities in web apps. Itā€™s crucial to treat all access decisions with strict scrutiny, validate every userā€™s permission server-side, and never trust client-side enforcement.

šŸ‘‰ In the next post, we'll dive into A02:2021 ā€“ Cryptographic Failures, where we explore how weak or misused encryption can put sensitive data at risk.

0
Subscribe to my newsletter

Read articles from Kohsheen Razdan directly inside your inbox. Subscribe to the newsletter, and don't miss out.

cybersecurityowaspwebsecurityinternships

Written by

Kohsheen Razdan
Kohsheen Razdan