Broken access control

When users can act outside their permissions, reaching data or actions that should be restricted to other roles or owners.

Broken access control is the umbrella for any failure to enforce who can do what. It covers a user reaching another user's records, a regular account hitting admin-only endpoints, or a request changing data it shouldn't. The common cause is that checks happen in the UI but not on the server.

It's worth knowing because it's currently the most frequently found web security risk, ahead of injection. For a founder the trap is that the app works perfectly in your own testing, since you never try to access what you're not allowed to. IDOR explained covers one of its most common forms.

The fix is to enforce authorization server-side on every request, deny by default, and test as a low-privilege user. It sits at the top of the OWASP Top 10.

Related terms

IDOR (Insecure Direct Object Reference)An access-control flaw where changing an ID in a request lets a user read or edit records that belong to someone else.SSRF (Server-Side Request Forgery)A flaw where an attacker tricks your server into making requests to internal systems or cloud metadata it should never reach.SQL injection (SQLi)A flaw where untrusted input is mixed into a database query, letting an attacker read, change, or destroy your data.XSS (Cross-Site Scripting)A flaw where attacker-controlled script runs in another user's browser, letting it steal sessions or act as that user.