Broken Access Control Explained (OWASP A01) — 2026
May 18, 2001 · by Pentevo
Broken access control sits at #1 on the OWASP Top 10 — it's the most common serious web vulnerability. In plain terms: users can do or see things they shouldn't be allowed to.
The core idea
Authentication answers "who are you?" Authorization answers "what are you allowed to do?" Broken access control is an authorization failure: the app verifies who you are but not whether you're permitted to perform a given action or view a given resource.
Common forms
- IDOR (Insecure Direct Object Reference) — you change an ID in a URL or request (e.g.,
/account/123→/account/124) and see someone else's data because the app didn't check ownership. - Privilege escalation — a normal user reaches admin-only functions (e.g., by guessing an admin URL or tampering with a role parameter).
- Missing function-level checks — the UI hides an action, but the underlying API still allows it if you call it directly.
- Forced browsing — accessing pages/files that should require permission just by knowing the path.
Why it's so common
Developers often enforce access control in the UI (hiding buttons) but forget to enforce it on the server for every request. Attackers don't use your UI — they call your API directly. If the check isn't server-side, it isn't a check.
How to prevent it
- Enforce authorization on the server, for every request — never rely on hiding things in the UI.
- Deny by default — grant access explicitly, not implicitly.
- Check ownership — confirm the logged-in user actually owns the resource they're requesting (stops IDOR).
- Use a centralized access-control mechanism rather than scattered ad-hoc checks.
- Don't trust client-supplied roles/IDs — verify server-side.
- Log access-control failures and alert on patterns.
How it's found
Testers probe by manipulating IDs, parameters, and calling endpoints directly — exactly what tools like Burp Suite make easy, within an authorized pentest. Because it's logic-based, it's also a great example of where human and AI testing both add value.
Learn web app security end to end, free, at the Pentevo Academy.
Related reading
VPN Explained: What It Does (and Doesn't) — 2026
How a VPN actually works, what it protects you from, what it doesn't, and how to choose one — without the marketing hype.
FundamentalsWhat Is Penetration Testing? A Beginner's Guide (2026)
A plain-English guide to penetration testing: what it is, the five phases, the main types, and how it differs from a vulnerability scan.
FundamentalsZero-Day Vulnerabilities Explained (2026)
What a zero-day vulnerability is, why it's so dangerous, how zero-day exploits are used, and what defenders can do about the unknown.
FundamentalsWhat Is a CVE? Understanding Vulnerability IDs (2026)
What CVE means, how the numbering works, how CVSS severity and EPSS scores help you prioritize, and how to track the CVEs that matter.
Practice this hands-on
Pentevo Academy turns these concepts into guided lessons, videos and quizzes — free.
Start learning free