A01:2021 – Broken Access Control - Cyber Security https://www.hacktheforum.com/cyber-security/a012021-broken-access-control/ Hack The Forum Discussion Board en Sat, 18 Apr 2026 21:53:45 +0000 wpForo 60 A01:2021 – Broken Access Control https://www.hacktheforum.com/cyber-security/a012021-broken-access-control/#post-19912 Wed, 05 Nov 2025 01:32:08 +0000 Broken Access Control occurs when a web application fails to properly enforce restrictions on what authenticated users can do.
In other words, users can act outside of their intended permissions — such as accessing other users’ data, modifying resources they shouldn’t, or performing administrative functions.

Examples of Broken Access Control

Example Description
Insecure Direct Object References (IDOR) A user accesses someone else’s data by modifying a resource identifier in a request (e.g., /account?id=1234/account?id=1235).
Force Browsing Accessing restricted pages (like /admin) by guessing URLs without proper authorization checks.
Vertical Privilege Escalation A normal user performing admin actions (e.g., deleting other users) due to missing role checks.
Horizontal Privilege Escalation A user accessing another user’s resources (e.g., viewing another person’s profile).
CORS Misconfiguration Improperly configured Cross-Origin Resource Sharing that allows unauthorized domains to access sensitive APIs.

Common Causes

  • Missing or ineffective access control checks on server-side.

  • Relying on client-side enforcement (e.g., hiding buttons in the UI but not enforcing server-side checks).

  • Using predictable identifiers (IDs, filenames, URLs).

  • Misconfigured permissions or default roles.

  • Lack of centralized access control logic (scattered or inconsistent enforcement).

]]> Cyber Security Rinki Singh https://www.hacktheforum.com/cyber-security/a012021-broken-access-control/#post-19912