IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. Learn
  3. Broken Access Control
Access ControlHigh

Broken Access Control

Also known as: Authorization flaws · Privilege escalation

Broken Access Control is the top category in the OWASP Top 10 (2021). It covers failures to enforce what an authenticated user is allowed to do: horizontal escalation (accessing peers' data), vertical escalation (gaining admin rights), missing function-level checks, and metadata manipulation. It is the umbrella under which IDOR/BOLA, forced browsing, and privilege escalation live.

CWE
CWE-284
OWASP
A01:2021API1:2023

How it works

  1. 1Authorization is enforced inconsistently or only in the UI, not the API.
  2. 2The attacker requests a resource or function they should not be permitted to use.
  3. 3The server fails to check the principal's permissions for that object or action.
  4. 4The attacker reads data, performs privileged actions, or escalates their role.

Example

# Forced browsing to an admin function as a normal user
POST /api/admin/users/12/promote HTTP/2
Authorization: Bearer <non-admin token>

# 200 OK -> missing function-level authorization
A missing function-level authorization check.

Impact

Broken access control leads to data breaches, account and tenant takeover, and unauthorized administrative actions - the most common root cause of serious web and API incidents.

Remediation

  • Deny by default; enforce authorization server-side on every object and function.
  • Centralize policy decisions rather than duplicating checks per endpoint.
  • Test both horizontal and vertical access paths continuously.
  • Log access-control failures and alert on anomalies.

Detection & testing

Exercise every endpoint with least-privileged and cross-tenant credentials; confirm the server rejects unauthorized objects and functions. Continuous testing catches regressions as roles change.

Impactr tests for Broken Access Control the way an attacker would - investigating, chaining it with related flaws, and proving impact with a reproducible exploit before it reaches your report.

Test my app for Authorization flaws

Tools

ImpactrBurp Suite (Autorize)Caido

Frequently asked questions

What is the difference between horizontal and vertical privilege escalation?

Horizontal escalation accesses another user's data at the same privilege level (e.g. IDOR). Vertical escalation gains higher privileges, such as a normal user reaching admin functionality.

Related concepts

Insecure Direct Object Reference (IDOR)Cross-Site Request Forgery (CSRF)JWT Attacks
← All vulnerabilities
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub