Broken Access Control

OWASP Top 10 - A5



What is Broken Access Control?

Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user. Common access control vulnerabilities include:

  • Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or simply using a custom API attack tool
  • Allowing the primary key to be changed to another's users record, permitting viewing or editing someone else's account.
  • Elevation of privilege. Acting as a user without being logged in, or acting as an admin when logged in as a user.
  • Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token or a cookie or hidden field manipulated to elevate privileges, or abusing JWT invalidation
  • CORS misconfiguration allows unauthorized API access.
  • Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user. Accessing API with missing access controls for POST, PUT and DELETE.

Broken Access Control examples

Example #1: The application uses unverified data

The application uses unverified data in a SQL call that is accessing account information:


        pstmt.setString(1, request.getParameter("acct"));
        ResultSet results = pstmt.executeQuery();

An attacker simply modifies the acct parameter in the browser to send whatever account number they want. If not properly verified, the attacker can access any user's account.


        http://example.com/app/accountInfo?acct=notmyacct

Example #2: An attacker simply force browses to target URLs

Admin rights are required for access to the admin page.


        http://example.com/app/getappInfo
        http://example.com/app/admin_getappInfo

If an unauthenticated user can access either page, it’s a flaw. If a non-admin can access the admin page, this is a flaw.



How to prevent Broken Access Control

Access control is only effective if enforced in trusted server-side code or server-less API, where the attacker cannot modify the access control check or metadata.

  • Deny access to functionality by default.
  • Use Access control lists and role-based authentication mechanisms.
  • Do not just hide functions.

How Hdiv protects against A5 risk



The information flow control system implemented by Hdiv allows control of the resources (links and forms) exposed by the application, and prevents breaking the original contract from the server. In other words, even when the programmer does not use access control systems or ACL (Java EE or Spring Security) Hdiv is able to know which resource is legally accessible by each user.

Risk Covered

Hdiv flow control prevents any client attempt to break the server contract.
Explore our Online Demo