The OWASP Top 10 is a valuable resource for the AppSec community, as it outlines the most prevalent vulnerabilities that developers need to be aware of.
In this article, we will focus on Broken Access Control and advise how to prevent it in your code. We also recommend The Diligent Developer Chronicles as a useful training resource for your development team.
OWASP Top 10 Broken Access Control is a category of security vulnerabilities that allows attackers to gain unauthorized access to resources or perform unauthorized actions such as accessing sensitive data, modifying data, or disrupting the application.
There are many different ways that broken access control can occur. Some common examples include:
Read More: OWASP: A01:2021 – Broken Access Control
In 2014, hackers used a Snapchat exploit to compile a list of 4.6 million Snapchat usernames, phone numbers, and locations through access control vulnerabilities. This information was then posted online in a data leak from hackers to gain awareness of the insecurities in the popular social platform.
Read The Forbes Article: 4.6 Million Snapchat Usernames And Phone Numbers Captured By API Exploit
Understanding the different types of access control is the first step toward identifying where broken access control vulnerabilities are most likely to appear in your application.
Discretionary Access Control gives resource owners the ability to decide who can access their files, data, or systems. While flexible, this model introduces significant access control vulnerabilities when owners assign permissions too broadly or fail to revoke access over time. Sensitive data can become exposed simply because a permission was never revisited after an employee changed roles or left the organization.
Mandatory Access Control enforces access decisions based on classification levels set by a central authority rather than individual owners. It is commonly used in government and military environments where protecting sensitive data is non-negotiable. When implemented incorrectly, gaps in classification policies can introduce broken access control risks that bypass the intended restrictions entirely.
Role-Based Access Control assigns permissions based on a user's role within an organization. It is one of the most widely adopted models for managing access control at scale. However, poorly defined roles, overly permissive assignments, or failure to enforce proper access controls during role changes can leave applications vulnerable to privilege escalation, where a user gains access to resources or actions well beyond what their role requires.
Attribute-Based Access Control makes access decisions based on a combination of user attributes, resource attributes, and environmental conditions. It offers the most granular control of any model but also the most complexity. That complexity increases the surface area for broken access control vulnerabilities if policies are not carefully designed, tested, and maintained over time.
Rule-Based Access Control enforces permissions through a defined set of system-wide rules, often used alongside other models such as RBAC. When rules are outdated, misconfigured, or conflict with one another, they create access control vulnerabilities that attackers can exploit to reach sensitive data or perform unauthorized actions without triggering any obvious alerts.
No single access control model eliminates broken access control risks on its own. The most secure applications layer multiple models, apply the principle of least privilege consistently, and enforce proper access controls at every point in the stack, from the API layer down to the database. Understanding which model governs which part of your system is essential to identifying where privilege escalation and unauthorized data exposure are most likely to occur.
The key to protecting against Broken Access Control is to implement strict usage tracking, validation, and user protocols, and it all starts with a clear understanding of your organization's security requirements.
Here are some ways you can prevent Broken Access Control within your application:
Role-Based Access Control (RBAC) - a robust system that ensures users are granted access only to the specific resources and actions appropriate for their respective roles. By doing so, they effectively restricted any unauthorized access attempts.
Principle of Least Privilege - granting users the bare minimum level of access required to carry out their designated tasks. This approach significantly reduced the risk of unintended actions or unauthorized operations.
Proper Session Management – preventing attempts by unauthorized users to hijack active sessions through measures such as employing secure tokens, implementing timeouts, and ensuring the correct handling of session termination
Access Control Lists (ACLs) - explicitly defined permissions for both users and resources
Our AppSec experts at Security Journey recommend that developers don’t just take annual training on the most current OWASP Top 10 to be aware of prominent vulnerabilities and code risks, but also maintain continuous training and conversations about code security across the organization, reinforcing the practices outlined in OWASP Top 10 Proactive Controls.
But why not have fun in the process?
Security Journey developed The Diligent Developer Security Awareness & Education Program as a fun way to not only enhance security awareness, but to build skills across your development team to empower them to think securely. This could be added to National Cybersecurity Awareness Month initiatives for the entire development team or be used to grow a security champions program.
In Chapter One, The Diligent Developers take on Repairing the Gate of Broken Access Control:
As The Diligent Developers continue on their journey; stay tuned to see what OWASP Top 10 Challenge they take on next.
Visit our webpage to learn more about accessing program materials and a program guide to effectively train your organization on OWASP Top 10 vulnerabilities.