๐Ÿ” Broken Access Control

Understanding access flaws, privilege escalation and bypass techniques

What is Broken Access Control?

Broken Access Control occurs when applications fail to enforce proper restrictions on authenticated users, allowing attackers to act outside their intended permissions. This can include viewing, modifying, or deleting data belonging to other users, or accessing admin functionalities without proper privileges.

๐Ÿšช Common Types of Access Control Failures

1. Insecure Direct Object Reference (IDOR)

Occurs when an attacker manipulates object identifiers in the URL or body (e.g., /profile?id=123) to access unauthorized resources.

2. Missing Function-Level Access Control

Occurs when backend routes are not protected by authorization checks, allowing unauthorized users to invoke them directly.

3. Forced Browsing

Accessing hidden or unlinked pages by guessing predictable URLs, like /admin or /config.

4. Privilege Escalation

Occurs when users gain higher privileges (e.g., user โ†’ admin) due to improper validation.

๐Ÿงช Real-World Example

Imagine a social media app where users can access their profile data via:

GET /api/user/profile?id=1001

If an attacker changes the ID value to 1002 and accesses someone else's profile without restriction, this is a classic IDOR vulnerability.

๐Ÿง  Step-by-Step: Finding Broken Access Control

1. Analyze Roles and Resources

Understand what each user role should and shouldn't access. Compare actual behavior vs expected restrictions.

2. Tamper with IDs and URLs

Modify parameters like user_id, order_id, or file paths. Try accessing as another user or admin.

3. Check Hidden Functions

Access admin-only routes directly (e.g., /admin/delete-user) even if they are not visible in the UI.

4. Use Burp Suite's Repeater

Resend modified requests with elevated operations and observe server responses.

๐Ÿ’ก Pro Tips & Practical Insights

๐Ÿ›ก๏ธ How to Prevent Broken Access Control

๐Ÿ“š Recommended Tools & Resources