Broken Access Control
Broken access control is the umbrella for any flaw in how an application enforces who can do what — including missing checks, wrong checks, or bypassable checks.
Definition
Broken access control is the umbrella OWASP category for any flaw in the application's authorisation logic. IDOR is the per-record variant; missing function-level access checks ("a regular user can hit `POST /admin/users` and the endpoint just works") is the per-endpoint variant; vertical privilege escalation (a low-tier user reaching a higher-tier action), horizontal escalation (a tenant reaching another tenant's data), and JWT-claim tampering all fall under this heading.
Broken access control sits at #1 on the OWASP Top 10 (2021 edition) because it is endemic, hard to find by automated scanning, and almost always high-impact when present.
How it works
Application-specific. A common shape: the application uses a framework's "is authenticated" middleware as the sole authorisation gate, omitting any per-resource check. Another shape: the application enforces authorisation in the UI only — the API endpoint is reachable but the navigation never lets a regular user click it. A third: the authorisation check exists but is performed against attacker-controlled input (a "role" field in a JWT that the attacker forged).
Impact
Anything the broken policy was meant to prevent: data leakage, privilege escalation, financial fraud, tenant escape.
Mitigation
Treat authorisation as a first-class concern, not a cross-cutting one. Use a policy library (OPA, Casbin, Pundit, CASL) and enforce policies in one place. Test the negative cases: every endpoint should have a test that a non-authorised principal gets 403, not just that the authorised one gets 200. Default-deny in the framework's routing layer.
Examples
- CVE-2023-22515 — Confluence Data Center broken-access-control allowing admin creation.