Home > Website Pentesting

Broken Access Control

Broken Access Control occurs when an application fails to properly enforce what authenticated users are allowed to do. Even if a user is logged in legitimately, the system must still check whether that user has permission to access a particular resource or perform a specific action. When these checks are missing, weak, or implemented incorrectly, attackers can escalate privileges, access restricted areas, manipulate data, and exploit functionalities intended only for privileged users.

Broken access control is one of the most critical vulnerability classes because it affects authorization, not authentication—attackers don’t need to log in as admin; they simply bypass the checks that enforce admin-level restrictions.

Understanding Access Control

Access control governs who can do what in an application.

Access Control Types

Horizontal Access Control

Same-level users should not access each other’s data.

Example:
User A cannot view User B’s profile.

Vertical Access Control

Lower-privileged users must not access higher-privileged functions.

Example:
Normal user must not access admin panel or admin APIs.

Context-Based Access Control

Actions allowed only under specific conditions.

Example:
User may edit their profile but not certain fields (like their role).

Broken access control means these rules are not enforced correctly.

Common Patterns That Cause Broken Access Control

Missing Access Checks

Endpoints simply fail to verify permissions.

Example:

POST /admin/delete_user?id=5

No check to verify the caller is an admin.

Client-Side Authorization

Application relies on:

  • hidden fields

  • JavaScript checks

  • disabled buttons

Clients can easily bypass these because authorization MUST be server-side.

Forced Browsing

Accessing hidden or unlinked endpoints:

/admin
/settings/delete
/export/all

If the server doesn’t block unauthorized roles, attackers gain access.

Parameter-Based Privilege Escalation

User changes role in a request:

Original:

role=user

Modified:

role=admin

If accepted → vertical privilege escalation.

Method Tampering

Different HTTP methods may bypass access checks.

Example:

GET /admin/delete_user  → forbidden  
POST /admin/delete_user → allowed (mistake)

Unprotected APIs

Backend APIs protected by the UI but not by server-level authorization.

/api/v1/admin/users

If the endpoint returns data to a normal user → broken access control.

Referer / Origin-Based Access

Systems trusting headers for authorization:

if Origin == admin.example.com allow();

Attackers spoof headers → bypass protection.

Direct File Access

Files placed in webroot without access control:

/backups/db.sql
/logs/system.log

If accessible directly, any user can download them.

Role Switching Flaws

Changing roles through:

  • cookies

  • JWTs

  • hidden form fields

If server does not verify roles securely, manipulation occurs.

Caching Vulnerabilities

Caches store privileged responses and serve them to unauthorized users.

Practical Broken Access Control Discovery Workflow

Step 1: Identify Privileged Functionality

Look for:

  • /admin

  • /moderator

  • /internal

  • /manage

  • /settings

  • /export

  • /delete

Test accessing them as a regular user.

Step 2: Test Forced Browsing

Manually visit sensitive URLs:

/admin
/admin/dashboard
/admin/users
/settings
/invoices
/logs

If the page loads → access control broken.

Step 3: Intercept Requests and Modify Roles or IDs

Change:

"is_admin": false → true
"user_role": "user" → "admin"

If accepted:

  • privilege escalation

  • full compromise

Step 4: Modify Access Tokens or Cookies

If a cookie contains:

role=user

Modify:

role=admin

Weak implementations accept it directly.

Step 5: Test API Endpoints Directly

Frontend may block buttons, but API does not.

Try:

GET /api/admin/users
POST /api/admin/add_user
DELETE /api/admin/messages

If no forbidden error → broken access control.

Step 6: Privilege Escalation Attempts

Change account IDs:

/user/100 → /user/1  
/settings/100 → /settings/1

Check if admin accounts become visible.

Step 7: Use Burp Suite to Replay Authenticated Requests

Capture privileged request (as admin), replay it as normal user by:

  • removing tokens

  • replacing tokens

  • using cookies from low-priv user

If still allowed → critical vulnerability.

Step 8: Bypass UI-Based Restrictions

If a button is disabled in the browser:

  • remove HTML attributes

  • change JS variables

  • modify CSS

  • remove frontend validations

Then attempt the action again.

Many websites rely solely on UI restrictions.

Step 9: Check for HTTP Method Abuse

Try:

HEAD /admin
OPTIONS /admin
PUT /admin
POST /admin

Sometimes POST is protected but GET is not, or vice versa.

Step 10: Attempt Mass Assignment

If users can edit their profile, try adding fields:

{
  "username": "mayur",
  "role": "admin"
}

Improper binding escalates privileges.

Advanced Broken Access Control Techniques

1. JWT Manipulation

If JWT stores role:

{
  "user": "mayur",
  "role": "user"
}

Modify:

{
  "user": "mayur",
  "role": "admin"
}

If server does not verify signature → admin access.

2. CORS Misconfigurations

If API returns sensitive data cross-origin:

Access-Control-Allow-Origin: *

then attacker can steal data using malicious websites.

3. Path Normalization Bypass

Hidden admin routes:

/..;/admin/
/%2e%2e/admin
/admin/./

If these load → access control bypass.

4. Rate Limit Abuse

Low-priv user can brute-force:

  • admin actions

  • ID sequences

  • tokens

Access control failures combined with missing rate limit worsen impact.

5. Temporary States / Session Elevation

Some flows temporarily elevate privileges:

/start-admin-task

If attacker captures token, they escalate privileges permanently.

Real-World Broken Access Control Examples

Example 1: Missing Authorization Checks on Delete Endpoint

DELETE /user/1

Regular user deletes other users.

Example 2: Admin Panel Accessible Without Authentication

/admin

Loads without requiring login.

Example 3: Upgrade Account by Changing Role Field

PUT /profile
{
  "role": "admin"
}

Server accepts role change.

Example 4: Forced Browsing to Hidden Functions

/dashboard?admin=1

Unlocks admin features.

Example 5: File Download Leakage

GET /files/backup.zip

Anyone downloads internal backups.

Why Broken Access Control Happens

Root causes include:

  • missing authorization checks

  • relying on security-by-obscurity

  • trusting client-side role enforcement

  • poorly designed REST APIs

  • insecure object references

  • misunderstanding of user privileges

  • rushed implementation

  • developer assumptions

  • missing security testing

Access control requires explicit checks at every endpoint; failure to implement them systemically causes massive security gaps.

Impact of Broken Access Control

Broken access control can lead to:

  • full account takeover

  • privilege escalation

  • leakage of sensitive user data

  • unauthorized actions

  • deletion or modification of records

  • admin panel access

  • full system compromise

  • exposure of financial and personal data

It is one of the highest-impact vulnerabilities across modern applications.

Intel Dump

  • Broken access control occurs when authorization checks are missing, weak, or enforced on the client rather than the server.

  • Exploitation includes forced browsing, parameter tampering, role modification, direct API access, and object manipulation.

  • Common issues: missing checks, trusting hidden fields, insecure REST APIs, UI-based restrictions, and mass assignment flaws.

  • Vertical (privilege escalation) and horizontal (cross-user access) violations both indicate broken access control.

  • Impact includes full compromise of data, accounts, and admin-level functionality.

HOME LEARN COMMUNITY DASHBOARD