Broken Access Control

Broken access control is describe as vulnerabilities related to user authorization. Websites need to allow certain permissions for public users and must have an administrator who can allow or deny certain privileges to others users.


An attacker force browses to target URLs. Admin rights are required for access to the admin page.


If an unauthenticated user can access either of the pages it’s a flaw. If a non-admin can access the admin page that is also a flaw.


  • Allowing the primary key to be changed to another users record and permitting viewing or editing someone else’s account.

  • privilege escalation, Acting as a user or admin without being logged in.

  • Bypassing access control checks by modifying the URL, HTML page or using a custom API attack tool.

Mitigation / Precaution

  • use a central application component to verify access control.

  • Drive all the access control decisions from a lower privileged user’s session

Related Articles