Index · TL;DR

1 min read
18 min read
Rapid overview

TL;DR

Broken Access Control is the #1 risk in the OWASP Top 10 (A01:2021) because it is both the most widespread and the most damaging class of web vulnerability: it occurs whenever a user can act outside their intended permissions — reading another customer's invoice, editing a record they don't own, or invoking an admin-only function as a regular user. The root cause is almost always the same: the application correctly authenticates who you are but fails to consistently authorize what you're allowed to do, and it makes that mistake by trusting client-supplied data (object IDs, roles in a JWT, hidden form fields) or by enforcing the rule only in the UI rather than on the server, on every request. The fixes are conceptually simple and architecturally hard: deny by default, enforce authorization server-side at the resource on each request, scope every data lookup to the authenticated principal, and never reconstruct a user's privileges from anything the client sent.

See also