Listed as #1 on the OWASP Top 10 list, broken access control is when an attacker can gain unauthorized access to restricted information or systems.
Access control ensures that people can only gain access to things they’re supposed to have access to. When access control is broken, an attacker can obtain unauthorized access to information or systems that can put an organization at risk of a data breach or system compromise.
In 2021, the OWASP Top 10 list moved broken access control from the fifth position to first on the list of top vulnerabilities in web applications. According to OWASP, 94% of applications were found to have some form of broken access control, with the average incidence rate of 3.81%.
In this video, Jonathan Knudsen, head of global research at the Cybersecurity Research Center, shows an example of broken access control in an insecure bank application. This example uses a classic vulnerability, insecure direct object reference. You can check out the source code here.