What is Broken Access Control? - apviso [APVISO](/)Product

Resources

Developers

Company

[Pricing](/#pricing)[Partners](/partners)[Enterprise](/enterprise)

[Login](/login)[Get started](/register)

[Login](/login)[Start pentest](/register)

[Home](/)[Glossary](/glossary)Broken Access Control[Back to Glossary](/glossary)Broken Access Control
=====================

A category of vulnerabilities where access restrictions are not properly enforced, allowing users to act outside their intended permissions.

vulnerabilityaccess controlOWASP

Broken access control is the #1 risk in the OWASP Top 10 (2021), encompassing vulnerabilities where users can access resources or perform actions beyond their authorized permissions. This includes bypassing access control checks by modifying URLs, internal application state, or API requests; viewing or editing someone else's account; privilege escalation; metadata manipulation; and CORS misconfiguration.

Common manifestations include: missing authorization checks on API endpoints, IDOR (Insecure Direct Object References) where changing an ID in the URL exposes another user's data, missing function-level access controls where admin endpoints are accessible to regular users, and JWT token manipulation to change roles.

Broken access control is particularly dangerous because it's often invisible to automated scanners that lack authentication context. Testing requires understanding the application's role model and systematically verifying that each role can only access its intended resources.

How APVISO tests for this: APVISO's pentester agent performs comprehensive access control testing by manipulating object IDs, role parameters, and authorization tokens. The lead agent coordinates tests across different privilege levels to identify both vertical and horizontal access control failures.

Related Terms
-------------

[Insecure Direct Object Reference (IDOR)](/glossary/idor)[Privilege Escalation](/glossary/privilege-escalation)[OWASP Top 10](/glossary/owasp-top-10)

Test your applications for broken access control vulnerabilities
----------------------------------------------------------------

APVISO's AI agents automatically test for this and many more vulnerability categories.

[Contact sales](/contact)

[APVISO](/)Autonomous AI-powered penetration testing for modern web applications.

Subscribe

[](https://github.com/apviso)[](https://x.com/Apviso_com)[](https://www.linkedin.com/company/apviso/)

[![Featured on Good AI Tools](https://goodaitools.com/assets/images/badge.png)](https://goodaitools.com/ai/apviso)

Product

- [Features](/#features)
- [Sentinel](/sentinel)
- [Pricing](/pricing)
- [Integrations](/integrations)
- [Benchmarks](/#compare)
- [Affiliate Program](/affiliate)
- [Partners](/partners)
- [Enterprise](/enterprise)

Resources

- [Blog](/blog)
- [Use Cases](/use-cases)
- [Glossary](/glossary)
- [Comparisons](/comparisons)
- [Alternatives](/alternatives)
- [Compliance](/compliance)
- [Vulnerabilities](/vulnerabilities)
- [Industries](/industries)
- [OWASP APTS](/trust/apts)

Developers

- [Knowledge Base](/docs)
- [API Reference](/docs/api)
- [MCP Server](/docs/mcp)

Company

- [About](/about)
- [Contact](/contact)
- [Status](https://status.apviso.com)
- [Privacy Policy](/legal/privacy)
- [Terms of Service](/legal/terms)

© 2026 APVISO. All rights reserved.
