Broken Access Control: Risks and Remediation

Broken access control represents the top-ranked vulnerability category in the OWASP Top 10 as of the 2021 edition, appearing in 94% of tested applications according to OWASP's published findings. This page covers the definition and scope of broken access control, the mechanisms through which it is exploited, the documented scenarios where it causes material harm, and the decision boundaries that separate adequate from deficient access control implementations. The subject spans web applications, APIs, mobile software, and cloud-hosted services — any system where user permissions govern access to resources or actions.

Definition and scope

Access control is the set of policies and enforcement mechanisms that restrict which authenticated or unauthenticated principals can perform which actions on which resources. Broken access control occurs when those restrictions are incorrectly implemented, incompletely enforced, or bypassed entirely — allowing users to act outside their intended permissions.

MITRE classifies access control failures under multiple entries in the Common Weakness Enumeration (CWE), including CWE-284 (Improper Access Control), CWE-285 (Improper Authorization), and CWE-639 (Authorization Bypass Through User-Controlled Key). These entries distinguish between failures at the policy definition layer and failures at the enforcement layer — a distinction with direct remediation consequences.

The NIST National Institute of Standards and Technology addresses access control formally in NIST SP 800-53 Rev 5 under control family AC (Access Control), which specifies requirements for account management, least privilege, separation of duties, and information flow enforcement across federal information systems. mandates compliance with these controls for federal agencies and their contractors, making broken access control a regulatory exposure, not only a technical one.

Broken access control is distinct from authentication failure. Authentication verifies identity; authorization determines what a verified identity is permitted to do. A system can authenticate users correctly while still failing to restrict their actions — these are separate control layers with separate failure modes.

How it works

Exploitation of broken access control follows a pattern with identifiable phases:

1. Reconnaissance — An attacker identifies resource identifiers, API endpoints, URL parameters, or role-based UI elements that suggest access-controlled functionality. Object identifiers (e.g., /api/orders/10042) are particularly informative.
2. Permission boundary probing — The attacker substitutes or enumerates identifiers, modifies request parameters, or alters HTTP methods (e.g., changing GET to PUT or DELETE) to test whether the server enforces authorization checks independently of what the client presents.
3. Privilege escalation — If the server relies on client-supplied role tokens, hidden form fields, or predictable session attributes, the attacker modifies those values to assume higher privilege levels.
4. Resource access or manipulation — Unauthorized data is read, modified, deleted, or exfiltrated. In administrative contexts, full account takeover or configuration changes become possible.

The core failure mode is server-side trust in client-supplied authorization context — the application assumes that because a client presents a valid session, it has verified entitlement to the requested resource. When authorization checks are omitted, delegated to the client, or implemented only in the UI layer rather than the backend, the control fails.

Insecure Direct Object Reference (IDOR) is the most common sub-variant. IDOR occurs when a server exposes a direct reference to an internal object (database record, file, user account) via a predictable identifier and fails to verify that the requesting user owns or is authorized to access that object. A second major sub-variant is path traversal via provider network providers, where misconfigured servers expose file system contents outside the intended root.

Common scenarios

Horizontal privilege escalation — A user accesses another user's data by substituting a different user ID in a request. Example: /account/profile?user_id=8821 returns the profile of user 8821 regardless of which user is authenticated. This is the canonical IDOR scenario and represents a failure to enforce object-level authorization.

Vertical privilege escalation — A standard user accesses administrative functions by navigating directly to an admin URL or API endpoint that lacks server-side role checks. The UI may not display the link, but the endpoint remains accessible. This failure is common when access control is enforced in front-end routing rather than in the server-side authorization layer.

JWT and token manipulation — Applications using JSON Web Tokens (JWT) that do not validate the signature algorithm — particularly those that accept alg: none — allow attackers to forge tokens with arbitrary claims. The OWASP API Security Top 10 lists broken object-level authorization (BOLA) as the top API-specific risk, which maps directly to this category.

Cross-tenant data access in multi-tenant systems — In SaaS architectures, a failure to scope database queries by tenant identifier allows users in one organization to read or modify records belonging to a different tenant. This exposure can implicate the FTC Act Section 5 unfair or deceptive practices standard when personal data is involved, and triggers HIPAA breach notification obligations when health records are exposed (HHS Breach Notification Rule, 45 CFR §164.400).

Forced browsing to unprotected sensitive files — Backup files, configuration exports, or database dumps placed in web-accessible networks without authentication controls are discoverable through provider network enumeration. This scenario appears consistently in breach reports reviewed by the CISA Known Exploited Vulnerabilities Catalog.

Decision boundaries

Distinguishing broken access control from adjacent vulnerability classes requires precise scoping. The Application Security Providers at this authority covers the broader taxonomy of application-layer weaknesses within which access control failures sit.

Broken access control vs. authentication bypass — Authentication bypass circumvents identity verification entirely; broken access control occurs after identity is established. If a session mechanism is forged to skip login, the failure is authentication. If a legitimate session accesses resources not permitted to that identity, the failure is authorization.

Broken access control vs. security misconfiguration — OWASP Top 10 item A05 (Security Misconfiguration) overlaps with access control in scenarios such as open S3 buckets or provider network providers. The classification boundary lies in intent and layer: security misconfiguration describes infrastructure defaults or deployment errors, while broken access control describes the absence or failure of an explicit authorization policy at the application logic layer.

Mandatory vs. discretionary access control (MAC vs. DAC) — NIST SP 800-53 AC-3 distinguishes between mandatory access control (policy enforced by the system independent of user action) and discretionary access control (policy administered by resource owners). Broken access control vulnerabilities most commonly appear in DAC implementations where ownership checks are absent or bypassable. MAC failures tend to manifest as policy definition errors rather than missing enforcement.

Remediation decision framework:

The provides context for how broken access control fits within the broader application security service landscape, and professionals seeking qualified remediation resources can navigate the application security providers provider network for vetted service providers operating in this domain.