Back to Glossary

Broken Access Control

What is Broken Access Control?

Broken access control is the most prevalent web application security vulnerability according to the OWASP Top 10, where access control mechanisms fail to properly enforce what authenticated users are permitted to do — allowing them to access other users' data, perform privileged functions, or interact with resources outside their authorized scope. Access control enforces the policy that users can only act within their intended permissions. When these controls are broken, the consequences range from horizontal privilege escalation (accessing another user's data at the same permission level) to vertical privilege escalation (accessing administrative functionality as a regular user).

Description

Broken access control manifests in multiple vulnerability patterns documented across the OWASP Top 10 for both web applications and APIs. Insecure Direct Object Reference (IDOR) — also called BOLA in the API context — occurs when an application uses user-controllable identifiers (IDs, filenames, keys) to reference objects without verifying the requesting user's ownership. Vertical access control failures occur when regular users can access administrator interfaces or perform privileged actions because authorization checks are enforced at the UI layer but not at the API or function layer — a developer hides the 'admin' button from the interface but the underlying endpoint has no authorization check. Missing function-level access control allows attackers to access undisclosed administrative functions by guessing endpoint paths. Path traversal vulnerabilities allow file system access outside authorized directories. CORS misconfiguration allows unauthorized cross-origin API access. These vulnerabilities are common because authorization logic is notoriously difficult to implement correctly at scale — every endpoint and every data operation needs an explicit check, and a single missing check creates an exploitable gap. Access control failures also intersect with non-human identity security when service accounts and API tokens are granted overly broad permissions that allow access far beyond their intended function.

Usage and Examples

A SaaS platform processes customer orders and stores receipts. Each receipt has a numeric ID in the URL: /receipts/10045. An attacker who is an authenticated customer changes the ID to /receipts/10044 and receives another customer's receipt — including their name, address, and order details. The application checks that the caller is authenticated but not that they own receipt 10044. This is textbook IDOR/broken access control — consistently the most found vulnerability in application penetration testing engagements. Real-world broken access control incidents include the Uber breach (2016) where IDOR allowed access to 57 million users' data; the Facebook photo API bug (2018) that exposed photos through object reference manipulation; and the Trello configuration breach (2024). Remediation requires enforcing authorization checks at every data access operation — not just at the route or middleware level — and using unpredictable identifiers (UUIDs) rather than sequential IDs to reduce enumeration risk.

How Does This Relate to Penetration Testing?

Broken access control is one of the most consistently identified vulnerabilities across Evolve Security's application penetration testing and API penetration testing engagements. Manual testing is essential: automated scanners identify a small fraction of access control vulnerabilities because exploiting them requires understanding the application's permission model and testing every object type with multiple user contexts. A skilled tester systematically maps the application's data model, enumerates user roles and permissions, and validates whether each combination of user role + object + action is correctly restricted. The must-know pentest findings regularly feature access control issues as high-severity findings with direct data exposure impact. Evolve Security's Application Penetration Testing and API Penetration Testing services include systematic access control testing — finding the authorization gaps that automated scanners consistently miss.

Access control

Advanced Persistent Threat

Adversarial Machine Learning

Adversary-in-the-Middle (AiTM) Attack

Agentic AI Security

AI-Powered Social Engineering

AI Red Teaming

AI Security

API Security

Application Penetration Testing

Assumed Breach

Attack Surface

Attack Surface Management (ASM)

Botnet

Broken Access Control

Business Email Compromise (BEC)

BYOD

CIS Controls

CIS RAM

Cloud computing

Cloud Security

Cloud Security Posture Management (CSPM)

COBIT

Command and Control (C2)

Container Escape

Continuous Threat Exposure Management (CTEM)

Credential Stuffing

Cryptocurrency

Cryptojacking

Cyber Attack

Cyber Maturity Model Certification (CMMC)

Cyber Resilience

Cyber Threat Intelligence

Darknet

Data Breach

Data Loss Prevention

Data Poisoning

DDoS Attack

Declaration of Conformity

Deepfake

Detection Engineering

DMZ

Encryption

Endpoint

Endpoint Detection and Response

Ethical Hacking Tools

Exposure Management

Firewall

Firmware Security

FISMA

Gap analysis

GDPR

Hacker

HIPAA

Hypervisor (VMM)

Identification

Identity Theft

Identity Threat Detection and Response (ITDR)

Incident Response

Infrastructure-as-a-Service (IaaS)

Initial Access Brokers

Insider Threat

Internal Penetration Testing

Intrusion detection system (IDS)

Intrusion Prevention System (IPS)

ISO 27001

Keyboard logger

Lateral Movement

LLM Jailbreak

Macro virus

Malicious Apps

Malware

Managed Detection and Response (MDR)

Managed Detection and Response (MDR)

MCP Security

Memory Safety Vulnerabilities

MTTD and MTTR

Multi-Factor Authentication (MFA)

Network Detection and Response (NDR)

Network Firewall

Network Penetration Testing

Network Security

Network Security Assessment

NIS2 and DORA Compliance

NIST Cybersecurity Framework

Non-Human Identity (NHI) Security

Offensive Security

Operational Technology (OT) Security

Password

Password Cracking

Patch Management

PCI DSS

Penetration Testing

Phishing

Phishing-Resistant Authentication

Platform-as-a-Service (PaaS)

Post-Quantum Cryptography (PQC)

Privilege Escalation

Prompt Injection

Proxy server

Previous term
No previous terms!
Next term
No next terms!

Start Playing Offense to Play Better Defense

Copyright © 2026 Evolve Security. Evolve Security is trademarked in the United States.
312-957-5682
123 N. Waker Dr., Suite: 2125 Chicago, IL 60606
info@evolvesecurity.com
Connect
Contact UsRequest a demo
Services
Services OverviewAI Penetration TestingApplication Penetration TestingCloud Penetration TestingNetwork Penetration TestingEmbedded SystemsRed TeamAdvisory
Platform
Darwin Attack OverviewRisk ScoringAsset & Threat IntelligenceHuman-In-The-LoopDashboards & ReportingPlatform Integrations
Resources
BlogsEventsVideosPodcasts
Company
AboutCareersEvolve AcademyPartner Program
Privacy PolicyTerms of ServiceVulnerability Disclosure PolicyReport Issue
AICPA SOC logo with text 'SOC for Service Organizations | Service Organizations' and website aicpa.org/soc4so.