Skip to content

Next edition September 7th, 2026

Offensive security

Broken Access Control

Broken access control is a class of vulnerability where an application fails to enforce restrictions on what users can do or see, letting them reach data or actions outside their intended permissions. It is the number one risk in the OWASP Top 10 2021 and includes IDOR and BOLA, privilege escalation, forced browsing, and method or header based bypasses.

Author
Unihackers Team
Reading time
3 min read
Last updated

Why It Matters

Authentication answers who you are. Authorization answers what you are allowed to do. Broken access control is what happens when an application checks the first and forgets the second. It is the most common serious flaw on the web, which is why OWASP moved it to number one in the 2021 Top 10, and it is often the easiest class for a beginner to find because exploitation can be as simple as changing one value in a request.

Common Types

  • IDOR and BOLA: swap an object identifier and receive another user's data. See IDOR and BOLA.
  • Vertical privilege escalation: a normal user reaches admin functionality they should not. See privilege escalation.
  • Forced browsing: navigating directly to hidden or unlinked endpoints that were never meant to be reachable.
  • HTTP method tampering: an unguarded verb such as HEAD or OPTIONS bypasses a control set only for GET and POST.
  • Header based bypass: spoofing X-Forwarded-For: 127.0.0.1 or using X-Original-URL to defeat an IP or path restriction and turn a 403 into a 200.

A Worked Example

A request to /api/admin/backup returns 403 Forbidden with the message "admin IP required". Adding the header X-Forwarded-For: 127.0.0.1 returns 200 OK with the backup file, because the server trusts a client supplied IP header it never validated. Separately, changing userId=123 to userId=124 returns a different user's profile because the server confirmed the session was valid but never checked object ownership. Both are broken access control, found by parameter tampering and header manipulation in a proxy such as Burp Suite.

How to Test for It

The reliable method uses two accounts. Log in as User A, capture a request that reaches one of their objects, then replay it with User B's session, or simply swap the identifier, and see whether User A's data comes back. Test every CRUD action, not just reads, since update and delete are often less protected. Try reaching admin endpoints as a normal user, accessing the application with no session at all, and combining the method and header bypasses above. A control that holds for a GET may fail for a DELETE.

Impact

Because access control governs every object and action, a single flaw can expose every user's data, allow account takeover, or grant administrative control. Real incidents range from reading other customers' invoices to mass data extraction through a single enumerable identifier, which is why triage teams consistently rank these findings highly.

Prevention

Deny by default and grant explicitly. Enforce authorization server side on every request, verify object ownership rather than only login state, apply controls to all methods, and never trust client supplied headers for identity or hidden URLs for protection. Centralize the logic, test with multiple accounts, and alert on access that crosses user boundaries.

In the Bootcamp

How We Teach Broken Access Control

In our Cybersecurity Bootcamp, you won't just learn about Broken Access Control in theory. You'll practice with real tools in hands-on labs, guided by industry professionals who use these concepts daily.

Covered in:

Module 10: Penetration Testing and Ethical Hacking

Related topics you'll master:MetasploitNmapBurp SuitePrivilege Escalation
See How We Teach This

360+ hours of expert-led training • CompTIA Security+ included