Cyber Security
1
Posts
1
Users
0
Reactions
2
Views
Topic starter
Broken Access Control occurs when a web application fails to properly enforce restrictions on what authenticated users can do.
In other words, users can act outside of their intended permissions — such as accessing other users’ data, modifying resources they shouldn’t, or performing administrative functions.
Examples of Broken Access Control
| Example | Description |
|---|---|
| Insecure Direct Object References (IDOR) | A user accesses someone else’s data by modifying a resource identifier in a request (e.g., /account?id=1234 → /account?id=1235). |
| Force Browsing | Accessing restricted pages (like /admin) by guessing URLs without proper authorization checks. |
| Vertical Privilege Escalation | A normal user performing admin actions (e.g., deleting other users) due to missing role checks. |
| Horizontal Privilege Escalation | A user accessing another user’s resources (e.g., viewing another person’s profile). |
| CORS Misconfiguration | Improperly configured Cross-Origin Resource Sharing that allows unauthorized domains to access sensitive APIs. |
Common Causes
-
Missing or ineffective access control checks on server-side.
-
Relying on client-side enforcement (e.g., hiding buttons in the UI but not enforcing server-side checks).
-
Using predictable identifiers (IDs, filenames, URLs).
-
Misconfigured permissions or default roles.
-
Lack of centralized access control logic (scattered or inconsistent enforcement).
Posted : 05/11/2025 7:02 am
