Broken Access Control

Broken access control is the #1 risk in the OWASP Top 10 (2021), encompassing vulnerabilities where users can access resources or perform actions beyond their authorized permissions. This includes bypassing access control checks by modifying URLs, internal application state, or API requests; viewing or editing someone else's account; privilege escalation; metadata manipulation; and CORS misconfiguration.

Common manifestations include: missing authorization checks on API endpoints, IDOR (Insecure Direct Object References) where changing an ID in the URL exposes another user's data, missing function-level access controls where admin endpoints are accessible to regular users, and JWT token manipulation to change roles.

Broken access control is particularly dangerous because it's often invisible to automated scanners that lack authentication context. Testing requires understanding the application's role model and systematically verifying that each role can only access its intended resources.

How APVISO tests for this: APVISO's scanner agent performs comprehensive access control testing by manipulating object IDs, role parameters, and authorization tokens. The lead agent coordinates tests across different privilege levels to identify both vertical and horizontal access control failures.