Broken Access Control (EN)

Concept

OWASP Top 10 security risk where attackers access unauthorized resources

Broken Access Control

Broken Access Control (also known as Broken Object Level Authorization) is a critical security risk in the OWASP Top 10, where attackers can access protected resources they don't have permission for by manipulating URLs, session cookies, or other input parameters. This vulnerability occurs when access control mechanisms are not properly implemented or can be bypassed. Typical attacks include accessing other users' accounts, viewing or modifying sensitive data, and executing unauthorized functions. Prevention requires robust implementation of access controls at all levels of the application and validation of all user requests.

Architecture

flowchart TD     A[Client] -->|Request| B[Web-Server]     B -->|Authorization check| C[Application logic]     C -->|Check access rights| D[Resource]     C -->|Missing check| E[Unauthorized resource]     D -->|Successful| F[Response to client]     E -->|Security gap| G[Breached access]

In Context

Typically used together with authentication mechanisms
Related to: Cross-Site Scripting (XSS), Insecure Direct Object References (IDOR)
Example use case: An attacker changes the URL from /user/1/profile to /user/2/profile to view another user's profile

Quelle: AI Generated