Broken Access Control has been the number one vulnerability in OWASP Top 10 since 2021. Every third web application has authorization problems — users access data they don’t have permission to.
What is Broken Access Control¶
Access control ensures that users can only do what they’re authorized to do. Broken access control occurs when the application doesn’t perform this check correctly — users can modify others’ data, access admin interfaces, or escalate their privileges.
Typical Attacks¶
- IDOR (Insecure Direct Object Reference): Changing ID in URL — /api/users/123 → /api/users/456
- Forced browsing: Direct access to /admin without role check
- Parameter tampering: Changing role in POST request — role=user → role=admin
- Path traversal: Access to files outside allowed directory
Example of Vulnerable Code¶
// ❌ BAD — no ownership check
app.get('/api/orders/:id', async (req, res) => {
const order = await Order.findById(req.params.id);
res.json(order);
});
// ✅ GOOD — ownership check
app.get('/api/orders/:id', async (req, res) => {
const order = await Order.findById(req.params.id);
if (!order || order.userId !== req.user.id) {
return res.status(403).json({ error: 'Forbidden' });
}
res.json(order);
});
Prevention¶
- Deny by default — everything forbidden unless explicitly allowed
- Authorization check on server, never just on client
- Use RBAC or ABAC for permission management
- Log all unauthorized access attempts
- Automated authorization tests in CI/CD
Middleware pattern¶
const authorize = (allowedRoles) => { return (req, res, next) => { if (!req.user || !allowedRoles.includes(req.user.role)) { return res.status(403).json({ error: ‘Insufficient permissions’ }); } next(); }; }; app.delete(‘/api/users/:id’, authorize([‘admin’]), deleteUser);
Key Takeaway¶
Access control belongs on the server. Every endpoint must verify whether the current user has the right to perform the given action. Deny by default, log attempts, test automatically.