Broken Access Control

---

Broken access control is a type of security vulnerability that occurs when a system fails to restrict or limit access to authorized users appropriately.

• allows unauthorized users to:
  • gain access to sensitive or confidential information
  • modify or delete data
  • or perform other unauthorized actions
• is a common vulnerability
• e.g., system that allows for direct object reference
  • attacker can modify a URL (or other references) to specify a resource they should not be able to access
• mitigate by:
  • Implementing access controls properly
  • regularly testing for vulnerabilities