top of page
Search

“OWASP A01:2021-Broken Access Control”

  • Writer: Jen C
    Jen C
  • Nov 12, 2025
  • 2 min read

Updated: Nov 13, 2025

“Moving up from the fifth position, 94% of applications were tested for some form of broken access control with the average incidence rate of 3.81%, and has the most occurrences in the contributed dataset with over 318k.” (OWASP.org)


What is broken access control?

Let's take a step back and talk about access control. Companies follow the principle of least privilege, which basically says, “Hey, we only grant access for certain things, and you can't do things outside of your permission.” To put it into

simpler terms, think of the turnstiles on the 2nd floor. You have to swipe your badge to be allowed through. This is an example of access control. Another example of broken access control is bypassing authentication and viewing or editing sensitive data. Another would be not using role-based security.


To sum it up,

  • Authentication: Are you who you say you are?

  • Session management: Are the HTTP requests being made by the same person we just authenticated?

  • Access control: Now that we know who you are and what you're attempting, do you have the access to do so?


Broken access control could be an attacker exploiting these vulnerabilities or it could be unintended. We use the

following:

  • Injection flaws: untrusted input injected into an application

  • Cross-site scripting (XSS): untrusted input is included in a web page output.

  • Broken authentication/session management: the application doesn't validate or protect information


How can we prevent broken access control? There are a number of ways to keep authorized individuals from “entering an area or using a resource” by following defense-in-depth and least privilege.

  • Follow “deny by default” unless publicly accessible.

  • Minimize Cross-Origin Resource Sharing (CORS) usage by using access control in the application.

  • Access validation: an attacker attempts to tamper with an application/database and the system catches it,

    checks for credentials, nope? Access not allowed.

  • Test and audit controls put in place!


This is just a small excerpt on Broken Access Control. Check out more at OWASP.org! https://owasp.org/Top10/A01_2021-Broken_Access_Control/



Comments

© 2021 by Jen Cracchiola. Powered by Wix

bottom of page