PART 2. OWASP A01 Broken Access Control: Understanding IDOR, Authorization Flaws, and Privilege Escalation Attacks
1. Introduction
Imagine living in an apartment building where every resident has a key to their own room. Now imagine that by simply changing the room number written on a keycard, anyone could enter any apartment in the building.
That is exactly what Broken Access Control looks like in web applications.
A user logs into an application legitimately, but due to poor authorization checks, they can access data, accounts, or functionality that should be restricted. Unlike many technical vulnerabilities that require sophisticated exploitation, Broken Access Control often allows attackers to compromise sensitive systems using simple request manipulation.
This is one of the reasons why the Open Web Application Security Project (OWASP) ranked Broken Access Control as the #1 risk in the OWASP Top 10 (A01:2021).
In this article, we’ll explore what Broken Access Control is, how attackers exploit it, real-world incidents, and practical ways organizations can prevent it.
Understanding Access Control
Before discussing vulnerabilities, let’s understand how access control works. Every secure application relies on three fundamental security components:
a. Authentication
Authentication answers the question:
“Who are you?”
Examples:
- Username and password
- Single Sign-On (SSO)
- Multi-Factor Authentication (MFA)
The goal is to verify the user’s identity.
b. Session Management
Once authenticated, the application needs to remember who the user is.
This is achieved using:
- Session cookies
- JWT tokens
- Session IDs
Without proper session management, authenticated users cannot maintain their login state across requests.
c. Authorization
Authorization answers:
“What are you allowed to do?”
Examples:
- Can this user view customer records?
- Can this user delete accounts?
- Can this user access the admin panel?
Authorization is where Broken Access Control typically occurs.
Difference Between Authentication AND Authorization:
2. What Is Broken Access Control?
Broken Access Control occurs when an application fails to properly enforce restrictions on authenticated users.
As a result, attackers can:
- View sensitive information
- Modify data belonging to others
- Perform administrative actions
- Access restricted resources
- Escalate privileges
In simple terms:
The application knows who the user is but fails to verify what they are allowed to do.
3. Types of Access Control
1. Vertical Access Control
Vertical access control separates users based on privilege levels.
Example:
RolePermissionsUserView own profileManagerManage teamAdministratorFull system control
A normal user should never be able to access administrative functions.
# Vertical Privilege Escalation
When a regular user gains administrative privileges, it is called:
Vertical Privilege Escalation
Example:
A normal user discovers:
https://company.com/admin
If the application does not verify the user’s role on the server side, the user gains administrative access simply by visiting the URL.
2. Horizontal Access Control
Horizontal access control restricts users from accessing other users’ data.
Example:
A banking customer should only see their own account balance.
If Customer A can view Customer B’s records, the application suffers from a horizontal access control failure.
3. Context-Dependent Access Control
Some actions must occur in a specific sequence.
Example:
Add item to cart
↓
Checkout
↓
Payment
↓
Order confirmation
If attackers can skip steps and directly invoke privileged functionality, access control has failed.
The Most Common Broken Access Control Attack: IDOR
One of the most dangerous and common access control flaws is:
4. Insecure Direct Object Reference (IDOR)
Consider this URL:
https://bank.com/account?id=1001
The server returns:
John's Account Details
An attacker changes the request:
https://bank.com/account?id=1002
If the application returns another customer’s account information without verifying ownership, the attacker has successfully exploited an IDOR vulnerability.
The attack requires no malware, no sophisticated exploit code, and often no special tools.
Just changing a number.
5. Security Through Obscurity: Why Hidden URLs Don’t Work
Many developers believe hiding administrative URLs improves security.
Example:
/admin-panel-x9f7k2
The problem?
Attackers can discover hidden endpoints through:
- JavaScript files
- Source code leaks
- Browser developer tools
- Proxy tools
- Directory brute-forcing
Security professionals call this:
Security Through Obscurity
Hidden URLs are not security controls.
Proper authorization checks are.
6. Parameter Manipulation Attacks
Attackers often inspect requests looking for privilege indicators.
Example:
https://app.com/dashboard?role=user
An attacker changes:
role=user
to
role=admin
If the server trusts the client-side value, privilege escalation becomes trivial.
Never trust:
- Query parameters
- Hidden fields
- Cookies
- Client-side JavaScript
Authorization decisions must always be enforced on the server.
7. Multi-Step Workflow Bypass
Applications frequently implement sensitive operations through multiple steps.
Example:
Step 1
Open account modification page
Step 2
Submit updated information
Step 3
Confirm changes
Many developers protect steps 1 and 2 but forget step 3.
An attacker can directly send a crafted request to step 3 and bypass the entire workflow.
This is commonly seen in:
- Financial applications
- E-commerce systems
- Password reset processes
- Account management portals
8. Real-World Broken Access Control Incidents
Theory is useful. Reality is far more convincing.
Facebook (2013)
Security researcher Khalil Shreateh discovered a vulnerability that allowed any user to delete photos from other Facebook accounts.
The flaw was caused by improper authorization validation.
Even though users were authenticated, Facebook failed to verify whether they were authorized to perform the deletion.
Impact:
- Unauthorized modification of user content
- Demonstrated severe authorization failure
Instagram (2019)
Researchers discovered an IDOR vulnerability affecting Instagram APIs.
Attackers could manipulate identifiers in requests and access private stories and private content belonging to other users.
Impact:
- Privacy violations
- Exposure of sensitive user content
GitHub (2022)
GitHub disclosed a privilege escalation vulnerability that allowed users to obtain permissions beyond what was intended within repositories.
Impact:
- Unauthorized repository access
- Potential source code exposure
Optus Breach (2022)
One of Australia’s largest telecommunications providers suffered a massive breach.
Attackers exploited an exposed API endpoint lacking proper authorization validation. Nearly 10 million customer records were exposed.
Data included:
- Names
- Phone numbers
- Email addresses
- Identity document information
This became one of the most significant examples of an IDOR-style access control failure in recent years.
9. Why Broken Access Control Is So Dangerous
Unlike many vulnerabilities, Broken Access Control directly impacts all three pillars of information security.
Confidentiality
Attackers access sensitive information.
Examples:
- Customer records
- Medical data
- Financial information
Integrity
Attackers modify or delete information.
Examples:
- Change account settings
- Delete files
- Alter transactions
Availability
Attackers disrupt operations.
Examples:
- Delete databases
- Disable user accounts
- Modify system configurations
10. How Organizations Can Prevent Broken Access Control
1. Enforce Server-Side Authorization
Every request must be validated on the server.
Never rely on:
- Hidden fields
- Client-side JavaScript
- URL restrictions
The server must independently verify permissions.
2. Apply the Principle of Least Privilege (PoLP)
Users should receive only the permissions required for their role.
Example:
A customer support representative does not need database administrator privileges.
Reducing permissions limits attack impact.
3. Implement Role-Based Access Control (RBAC)
Instead of assigning permissions individually:
User
Manager
Administrator
Assign permissions to roles and assign users to roles.
This simplifies authorization management and reduces mistakes.
4. Use Multi-Factor Authentication (MFA)
MFA cannot fix authorization flaws directly.
However, it significantly reduces the likelihood of account compromise leading to privilege abuse.
5. Audit Access Control Regularly
Organizations should periodically review:
- User permissions
- Role assignments
- Access logs
- Administrative actions
Many privilege escalation issues originate from forgotten permissions.
6. Test for IDOR and Authorization Flaws
Security assessments should specifically test:
- IDOR vulnerabilities
- Horizontal privilege escalation
- Vertical privilege escalation
- Workflow bypasses
- API authorization weaknesses
Manual penetration testing remains extremely effective because many authorization flaws are business-logic driven and difficult for automated scanners to detect completely.
7. Centralize Authorization Logic
One of the most common development mistakes is implementing access control checks throughout the application.
Instead:
- Centralize authorization mechanisms
- Use middleware
- Use framework authorization policies
This reduces inconsistencies and human error.
PRACTICAL LABS :
Final Thoughts
Broken Access Control remains the most dangerous web application vulnerability because it attacks the foundation of trust itself.
Attackers don’t always need sophisticated exploits, malware, or zero-days. Sometimes all they need is a modified URL, a changed parameter, or an API request the application forgot to validate.
The most effective defense is simple in concept but difficult in execution:
Never trust the client. Validate every request. Enforce authorization on the server.
Whether you’re a developer, security engineer, penetration tester, or bug bounty hunter, understanding Broken Access Control is essential because nearly every modern application depends on authorization logic — and history has repeatedly shown that when access control fails, the consequences can be catastrophic.
White Panther :
Follow for More : Intelithics
PART 2. OWASP A01 Broken Access Control: Understanding IDOR, Authorization Flaws, and Privilege… was originally published in System Weakness on Medium, where people are continuing the conversation by highlighting and responding to this story.