Broken Access Control
Also known as: Authorization flaws · Privilege escalation
Broken Access Control is the top category in the OWASP Top 10 (2021). It covers failures to enforce what an authenticated user is allowed to do: horizontal escalation (accessing peers' data), vertical escalation (gaining admin rights), missing function-level checks, and metadata manipulation. It is the umbrella under which IDOR/BOLA, forced browsing, and privilege escalation live.
- CWE
- CWE-284
How it works
- 1Authorization is enforced inconsistently or only in the UI, not the API.
- 2The attacker requests a resource or function they should not be permitted to use.
- 3The server fails to check the principal's permissions for that object or action.
- 4The attacker reads data, performs privileged actions, or escalates their role.
Example
# Forced browsing to an admin function as a normal user
POST /api/admin/users/12/promote HTTP/2
Authorization: Bearer <non-admin token>
# 200 OK -> missing function-level authorizationImpact
Broken access control leads to data breaches, account and tenant takeover, and unauthorized administrative actions - the most common root cause of serious web and API incidents.
Remediation
- Deny by default; enforce authorization server-side on every object and function.
- Centralize policy decisions rather than duplicating checks per endpoint.
- Test both horizontal and vertical access paths continuously.
- Log access-control failures and alert on anomalies.
Detection & testing
Exercise every endpoint with least-privileged and cross-tenant credentials; confirm the server rejects unauthorized objects and functions. Continuous testing catches regressions as roles change.
Impactr tests for Broken Access Control the way an attacker would - investigating, chaining it with related flaws, and proving impact with a reproducible exploit before it reaches your report.
Test my app for Authorization flawsTools
Frequently asked questions
What is the difference between horizontal and vertical privilege escalation?
Horizontal escalation accesses another user's data at the same privilege level (e.g. IDOR). Vertical escalation gains higher privileges, such as a normal user reaching admin functionality.