Application and cloud securityIntermediate33 min read

What Is Broken access control? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Broken access control means that the rules which determine who can see or do what in a computer system are not working correctly. This can let a regular user see private information or perform actions that only an administrator should be able to do. It is one of the most common and dangerous security problems in web applications and cloud services. Fixing it requires careful testing and strict enforcement of permissions at every level.

Common Commands & Configuration

aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json

Applies a bucket policy to an S3 bucket. Use with overly permissive actions or principals like '*' to grant public read/write access.

Tests understanding of S3 bucket policies as a common vector for broken access control; exam scenarios often include a policy that allows 'Effect:Allow, Principal:*, Action:s3:GetObject'.

az role assignment create --assignee user@domain.com --role Contributor --scope /subscriptions/123/resourceGroups/rg1

Assigns the Contributor role to a user at the resource group scope, granting broad write access.

Azure RBAC exams (AZ-104, SC-900) test recognizing overly permissive role assignments; Contributor can modify resources, leading to access control failures.

kubectl create clusterrolebinding admin-binding --clusterrole=cluster-admin --user=dev-user

Binds the cluster-admin role to a user, granting full cluster access. Use only for emergencies; otherwise creates broken access control.

In security exams, this is a classic example of privilege escalation; questions test identifying when least privilege is violated.

aws iam put-user-policy --user-name bob --policy-name S3WriteAll --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:PutObject", "Resource": "*" } ] }'

Attaches an inline policy to user 'bob' allowing s3:PutObject on all buckets. Overly broad and risks unauthorized writes.

AWS SAA and Security+ exams test recognizing permissive resource wildcards; correct answers often recommend scoping to specific bucket ARNs.

ss -tuln | grep :8080

Lists listening TCP/UDP ports; used to check if a management interface is exposed without authentication (e.g., Jenkins, Tomcat).

CySA+ and CISSP exams include scenarios where broken access control stems from exposed admin interfaces; this command helps identify them.

msoluser set -UserPrincipalName admin@contoso.com -PasswordNeverExpires $true

Sets a user's password to never expire, reducing security posture and potentially enabling persistent unauthorized access.

MD-102 and MS-102 exams test understanding of password policies as access controls; this misconfiguration is a broken access control red flag.

nginx -t && cat /etc/nginx/sites-available/default | grep -E 'location|auth_basic'

Tests nginx config and checks for missing authentication directives on sensitive locations (e.g., /admin).

Appears in security exams (e.g., CySA+) where absence of auth_basic on protected paths indicates broken access control.

Must Know for Exams

Broken access control appears across a wide range of IT certification exams because it is a universal security concern. In the AWS Solutions Architect Associate (AWS-SAA) exam, broken access control scenarios often involve misconfigured IAM policies. You might see a question where a developer creates an S3 bucket with a bucket policy that inadvertently grants public read access, or where an IAM role has overly permissive trust policies that allow any user to assume it.

The exam tests your ability to identify the least privilege principle and apply it to IAM roles, policies, and resource-based policies. For the Azure Administrator (AZ-104) exam, broken access control is tested through Role-Based Access Control (RBAC) assignments. You may be asked to configure custom roles with specific permissions, or to identify why a user cannot access a resource even though they are assigned a role.

The exam also covers Azure Policy and Azure Blueprints as tools to enforce access control at scale. In the CompTIA Security+ (Security+) exam, broken access control is part of the “Identity and Access Management” domain. You will encounter questions about the difference between authentication and authorization, types of access control models (DAC, MAC, RBAC, ABAC), and common attack vectors like IDOR and privilege escalation.

The exam expects you to know how to implement the principle of least privilege and separation of duties. The CISSP exam (ISC2-CISSP) covers broken access control extensively in the “Identity and Access Management (IAM)” domain. Questions may involve designing an access control system using formal models like Bell-LaPadula or Biba, or analyzing a scenario where a user is able to access classified data due to a labeling error.

The CISSP expects a deep understanding of access control concepts and the ability to apply them to complex organizational policies. For the Microsoft 365 Certified: Modern Desktop Administrator Associate (MD-102) and the Microsoft 365 Administrator (MS-102) exams, broken access control relates to device management and conditional access policies. You might see a question where a user bypasses a device compliance policy and accesses company data from an unmanaged device because the conditional access policy is not configured correctly.

The Security Operations Analyst (SC-900) exam covers the foundational concepts of identity, authentication, and authorization in Microsoft cloud services. Questions here may ask you to explain how Azure AD Conditional Access, Privileged Identity Management (PIM), and Identity Protection help prevent broken access control. In all these exams, question types include multiple-choice scenarios where you must identify the vulnerability, choose the correct remediation step, or interpret a configuration snippet.

For example, you might be given a JSON policy document and asked to identify why it grants excessive permissions. Or you might be given a scenario where a user can view another user’s data and asked to identify the most likely cause and the best fix. Understanding broken access control is not just about memorizing definitions.

It is about applying the concept to real configurations and troubleshooting problems. You need to be comfortable reading policy documents, understanding RBAC role definitions, and spotting the exact line that makes the access control broken. This is why it is such a common and heavily weighted topic across so many certifications.

Simple Meaning

Imagine you live in an apartment building. The building has a main entrance that requires a key to get in. That key is like logging in with a username and password. Once you are inside, there are different areas: the mail room, the laundry room, the rooftop, and each individual apartment.

Now, broken access control is like having a key that lets you into the building but then finding that the door to the rooftop is wide open when it should be locked. Worse, imagine you walk into the wrong apartment because the doors are not locked at all, or you find that the laundry room door opens if you just push hard enough even though it should only be for residents who paid the fee. In the digital world, this is exactly what happens.

When you log into a web application, you are authenticated, which means the system knows who you are. But authorization is the next step. It decides what you are allowed to do after you are inside.

Broken access control happens when that second step fails. For example, you might be a regular user on a banking website, but because the access controls are broken, you can see another customer’s account balance just by changing a number in the web address. Or you might be a student on a learning platform, but you can delete a course because the system didn’t check if you had permission to delete things.

The problem is not about tricking the system into letting you in without a password. The problem is that once you are in, the system trusts you too much. It doesn’t check what you are allowed to do at each step.

This is incredibly common in software because developers often focus on making the login page secure but forget to check permissions on every single page and every single function. In cloud environments, broken access control can happen when a storage bucket is configured to be publicly readable instead of private, so anyone on the internet can download the files. In APIs, it happens when an endpoint that should only be accessible to administrators is not protected and any authenticated user can call it.

The core idea is simple: just because someone is logged in does not mean they should be able to do everything. Broken access control is the failure to enforce that distinction. It is currently ranked as the number one security risk in the OWASP Top 10, which is a widely recognized list of web application security risks.

Understanding this concept is critical for any IT professional because it affects almost every system you will work with, from a small business website to a large enterprise cloud deployment. The fix usually involves implementing role-based access control, testing permissions thoroughly, and never trusting the client to tell the server what permissions it has.

Full Technical Definition

Broken access control is a class of security vulnerability that arises when an application fails to enforce authorization policies properly, allowing users to perform actions or access resources that are outside their intended privileges. In the context of web applications, APIs, and cloud services, access control is typically implemented through a combination of authentication, session management, and authorization checks. Authentication verifies the identity of the user, while authorization determines what that verified user is allowed to do.

Broken access control represents a failure in the authorization layer. The vulnerability manifests in several forms, including vertical privilege escalation, horizontal privilege escalation, and missing function-level access control. Vertical privilege escalation occurs when a low-privilege user, such as a regular user, gains access to functions or data reserved for higher-privilege roles like administrators.

For example, a user with a ‘viewer’ role might access an API endpoint that allows deleting resources, simply because that endpoint does not check the user’s role before processing the request. Horizontal privilege escalation occurs when a user accesses data belonging to another user at the same privilege level. A classic example is Insecure Direct Object References (IDOR), where a user can modify a parameter in the URL, such as account_id=12345, to view another user’s account details, because the server does not verify that the requesting user owns that object.

Missing function-level access control is another pattern where certain functions, like a debug console or an admin panel, are not properly protected and can be accessed by any authenticated user. In cloud environments, broken access control often involves misconfigured Identity and Access Management (IAM) policies. For example, an AWS S3 bucket might be set to ‘public-read’ instead of ‘private’, allowing any anonymous user to read its contents.

Similarly, an Azure Storage Account might have a network rule misconfigured, allowing access from all IP addresses. In containerized environments, broken access control can occur when a container runs with overly permissive capabilities or when Kubernetes Role-Based Access Control (RBAC) is not configured correctly, allowing a pod to access secrets it should not see. The technical implementation of access control relies on several mechanisms.

At the application level, it often involves middleware that intercepts HTTP requests and checks the user’s role and permissions before passing the request to the controller. This middleware typically consults a database of roles and permissions, often stored in a relational database or a directory service like LDAP or Active Directory. Modern applications increasingly use token-based authentication with JSON Web Tokens (JWT) or OAuth 2.

0 tokens. However, the presence of a token alone does not guarantee proper access control. The server must validate the token and then enforce authorization using information within the token, such as claims about the user’s role, or by making additional database queries.

A common mistake is to rely solely on the client to send the user’s role. An attacker can easily modify the HTTP request to claim a higher privilege role. For example, if a web application stores the user’s role in a cookie or a hidden form field and then uses that value to decide permissions, an attacker can change the cookie to ‘admin’ and gain administrator access.

This is known as a parameter tampering attack. Therefore, the server must always be the authoritative source for authorization decisions. Access control models are typically categorized as Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-Based Access Control (RBAC), and Attribute-Based Access Control (ABAC).

RBAC is the most common in enterprise applications, where permissions are assigned to roles, and users are assigned to those roles. ABAC is more dynamic and uses policies based on user attributes, resource attributes, and environmental conditions. For example, an ABAC policy might allow access to a document only if the user is in the same department as the document owner and the access is attempted during business hours.

The OWASP Top 10 lists Broken Access Control as the most critical security risk for web applications. In cloud security, frameworks like the AWS Well-Architected Framework and the Azure Security Benchmark emphasize the principle of least privilege, which dictates that users and services should only have the minimum permissions necessary to perform their tasks. Testing for broken access control involves automated scanning tools that try to access resources with different roles and manual penetration testing that attempts to bypass restrictions.

Common testing techniques include changing parameter values, manipulating HTTP headers, and attempting to access unauthorized URLs directly. White-box testing involves reviewing the source code to ensure that authorization checks are performed consistently and correctly. Broken access control is a fundamental security flaw that arises from inadequate enforcement of authorization policies.

It is not a failure of authentication but rather a failure of the system to properly limit what an authenticated user can do. Addressing it requires a layered approach: designing access control at the architecture level, implementing it correctly in code, configuring it properly in cloud services, and testing it rigorously before deployment.

Real-Life Example

Think about a large office building with a security guard at the front desk. Everyone who works in the building has a badge that they swipe to get through the main door. That badge is like your username and password.

It lets the security guard know who you are and that you are allowed to be in the building. Now, inside the building, there are different floors. The first floor has the cafeteria, which is open to all employees.

The second floor has the sales team, and the third floor has the executive offices with the CEO and the boardroom. The building also has a server room in the basement that only IT staff can enter. In a well-secured building, each floor has its own door with a card reader, and each employee’s badge is programmed to open only the doors they are allowed to use.

A salesperson can get into the sales floor but not into the executive offices or the server room. This is proper access control. Now imagine broken access control. The building still has the security guard at the front, so everyone who gets in is authenticated.

But the doors inside the building are broken. The door to the executive floor does not lock properly. Anyone can just push it open. The server room door has a keypad, but the code is written on a sticky note next to the door for convenience.

The salesperson, who should only be on the second floor, can wander up to the executive floor and read confidential financial reports sitting on the CEO’s desk. They can even go into the server room and unplug a critical server, causing a company-wide outage. This is exactly what broken access control looks like in a computer system.

The authentication part works fine. Users have passwords and can log in. But the authorization part is flawed. After logging in, the system does not check whether the user should be allowed to access a particular page, data, or function.

In the office building analogy, the security guard checks your badge at the front door, but then there is no further checking. The internal doors are either unlocked or the locks are easy to bypass. In the digital world, the equivalent is that the server checks your session cookie when you first log in, but then every subsequent request is treated as if it comes from a trusted user, without checking whether that user has the right to perform that specific action.

So, if you know the URL for the admin panel, you can just type it into your browser. Even if you are a regular user, the server might let you in because it never checks your role. This analogy highlights a crucial point: access control is not a single check at the beginning of a session.

It must be a continuous enforcement that happens on every request. Every time a user tries to view a file, update a record, or delete an item, the system must pause and ask: “Does this user have permission to do this?” If the system skips that question even once, the access control is broken.

Why This Term Matters

Broken access control matters because it is the root cause of some of the most damaging data breaches in history. When an attacker exploits broken access control, they do not need to steal passwords or bypass authentication. They simply use their own valid credentials to access data or functions they should not be allowed to see or use.

This makes the attack harder to detect because it looks like legitimate traffic from a valid user. For an IT professional, understanding broken access control is essential for designing, building, and maintaining secure systems. In cloud environments, a misconfigured IAM policy on an S3 bucket can expose millions of customer records to the entire internet.

In web applications, a missing authorization check on an API endpoint can allow one user to delete another user’s account. In enterprise environments, broken access control can allow a junior employee to change their own salary in the HR system. The impact is not just technical.

There are legal and regulatory consequences. Regulations like GDPR, HIPAA, and PCI-DSS require organizations to enforce strict access controls. A breach caused by broken access control can lead to fines, lawsuits, and loss of customer trust.

For example, the 2019 Capital One breach, which exposed the personal information of over 100 million customers, was caused by a misconfigured firewall that allowed an attacker to assume an IAM role with excessive permissions. That is a cloud access control failure. For IT certification exams like the AWS Solutions Architect Associate, the Azure Administrator Associate, CompTIA Security+, and the CISSP, broken access control is a core topic.

You will be expected to understand how to configure IAM policies, how to implement RBAC, and how to test for common vulnerabilities like IDOR. You will also need to know the difference between authentication and authorization, and the best practices for preventing broken access control. In practice, preventing broken access control requires a defense-in-depth approach.

It starts with designing a solid authorization model, typically using roles and policies. It continues with implementing server-side checks on every request, never trusting client-side inputs for authorization decisions. It involves using frameworks that enforce access control automatically, like Spring Security or ASP.

NET Core Authorization. And it requires regular testing, including automated scans and manual penetration testing. For IT professionals, this is not just about passing an exam. It is about building and maintaining systems that protect user data and maintain business continuity.

A single broken access control vulnerability can undo months of work and damage a company’s reputation irreparably. That is why it matters.

How It Appears in Exam Questions

Broken access control appears in exam questions primarily through scenario-based questions that test your ability to recognize the vulnerability and apply the correct remediation. One common pattern is the Insecure Direct Object Reference (IDOR) scenario. For example, a question might describe a web application that allows users to view their own invoices by navigating to a URL like /invoice?

id=1234. The question states that a security researcher discovered that by changing the id parameter to 5678, they could view another customer’s invoice. The answer choices might include fixing SQL injection, enabling HTTPS, or implementing server-side authorization checks.

The correct answer is to add a check that verifies the invoice belongs to the currently authenticated user before returning the data. Another common pattern involves cloud IAM misconfigurations. A question might present an AWS S3 bucket policy that grants ‘GetObject’ access to ‘Principal: *’, meaning anyone on the internet can read the objects.

The question asks what the vulnerability is. The answer is broken access control due to overly permissive bucket policy. The remediation might be to remove the wildcard principal or add a condition that restricts access to only authenticated users from a specific account.

In Azure exams, you might see a question where a user is assigned the ‘Contributor’ role on a resource group but cannot deploy a virtual machine. The question asks why. The answer could be that the user needs the ‘Network Contributor’ role for the virtual network resource, or that the subscription policy blocks the deployment.

This tests your understanding that RBAC is granular and that proper authorization requires multiple role assignments. Function-level access control is another frequent topic. A question might describe a web application where the admin panel is at /admin, but the link to it is hidden from regular users.

The question asks if this is a secure implementation. The answer is no, because security by obscurity is not effective. The correct approach is to verify the user’s role on the server side before rendering the admin panel.

In practice, exam questions often mix broken access control with other concepts like session management or cross-site request forgery (CSRF). You might see a scenario where a user remains logged in on a public computer and another user accesses the application and can see the first user’s data. This could be a session fixation issue, but it also involves broken access control if the application does not validate the session owner on each request.

Troubleshooting questions also appear frequently. For example, you might be given a log entry showing that a user with a ‘viewer’ role accessed a ‘delete’ API endpoint successfully. The question asks what misconfiguration caused this.

The answer options might list various causes, and the correct one is that the API does not check the user’s role before executing the delete operation. The fix is to add role validation middleware. Some questions use configuration snippets.

For example, an Azure ARM template or an AWS CloudFormation template might be shown with an IAM policy that has an ‘Effect: Allow’ and a ‘Principal: *’. You would be asked to identify the vulnerability and choose the correct policy to replace it. The correct policy would restrict the principal to a specific AWS account or a specific role.

Exam questions expect you to think critically about where authorization checks should be placed, how to configure them in cloud platforms, and how to recognize when they are missing or misconfigured.

Practise Broken access control Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are an IT support specialist at a mid-sized company. The company uses a web-based HR system where employees can log in to view their pay stubs, update their personal information, and request time off. Managers have additional privileges: they can approve time-off requests for their direct reports, view team attendance reports, and edit employee profiles for their team members.

Administrators have full access to all HR data, including salary information, performance reviews, and the ability to add or remove users. One day, a junior employee named Alex logs into the HR system. Alex navigates to the URL for viewing pay stubs: https://hr.

company.com/paystubs?employee_id=1001. Alex’s employee ID is 1001, so the page loads correctly and shows his pay stub. Out of curiosity, Alex changes the employee_id parameter in the URL to 1002, which is the ID of a colleague.

To his surprise, the page now shows his colleague’s pay stub, including their salary. Alex tries another ID, 1003, and sees another employee’s data. He also discovers that by navigating to /admin/users, he can see a list of all employees and even delete accounts.

Alex is not an administrator. He should not be able to do any of these things. The issue is that the HR application has broken access control. The system properly authenticated Alex when he logged in.

But after that, it did not check whether Alex is authorized to view other employees’ pay stubs or access the admin panel. The server simply accepted the employee_id parameter from the URL without verifying that the request comes from the user who owns that ID. Similarly, it allowed access to the /admin/users page without checking if the logged-in user has an admin role.

As an IT support specialist, you are called to investigate a complaint from a manager who noticed that Alex viewed sensitive salary data. You review the server logs and see that Alex’s requests to different employee IDs returned HTTP 200 status codes. You realize the access control is broken.

The fix requires two changes. First, for the pay stubs endpoint, the server must extract the logged-in user’s ID from the session and only return data for that ID, ignoring any employee_id parameter. Second, for the admin panel, the server must check the user’s role from the database before rendering the page.

If the user is not an administrator, the server should return a 403 Forbidden error. This scenario illustrates a classic IDOR vulnerability and a missing function-level access control, both of which are forms of broken access control.

Common Mistakes

Thinking that broken access control is the same as authentication failure.

Authentication is about verifying who you are. Access control is about what you can do after you are verified. They are two different layers. A system can have perfect authentication (strong passwords, MFA) but still be vulnerable if it fails to enforce what an authenticated user is allowed to do.

Always separate the concepts. Test authentication separately from authorization. Ensure that after a user logs in, every action they take is checked against their permissions.

Relying on client-side controls like hiding buttons or links to enforce access control.

Client-side controls are easily bypassed. An attacker can use browser developer tools to see hidden elements, or directly send HTTP requests to restricted endpoints. Security must be enforced on the server side.

Implement server-side authorization checks for every function. Do not trust the client to enforce any security rules.

Using user input, such as a role parameter in a hidden form field, to determine permissions.

If the server reads the user’s role from data sent by the client, an attacker can simply modify that data to claim a higher privilege role. This is parameter tampering.

Always derive the user’s role and permissions from a server-side source, such as a session database, a token with signed claims, or a directory service like Active Directory.

Only checking access control at the beginning of a session and not on every request.

A user’s permissions might change during a session (e.g., admin revokes a role), or a user might try to access a different resource than what they initially requested. If the system only checks permissions at login, the user can perform any action for the rest of the session.

Implement middleware or a filter that checks authorization on every HTTP request, before the request is processed.

Assuming that using a hard-to-guess URL is sufficient to protect a resource (security by obscurity).

Attackers use automated tools to scan for common paths or guess URLs. If the server does not check authorization, anyone who finds the URL can access the resource. This is not a valid security control.

Always add authentication and authorization checks to sensitive URLs, regardless of how obscure the URL appears.

Exam Trap — Don't Get Fooled

{"trap":"A question describes a web application where a regular user can view an admin dashboard by entering the URL /admin in the browser. The application does not have a link to the admin dashboard on the regular user's page. The question asks: 'What is the best way to fix this issue?'

and offers options like 'Remove the admin link from the user interface' or 'Implement server-side authorization check.'","why_learners_choose_it":"Learners often think that removing the link from the interface will fix the problem because they believe the vulnerability is that the user could see the link. They overlook the fact that the user entered the URL directly, meaning the server did not check authorization."

,"how_to_avoid_it":"Always remember that client-side elements are not security controls. The correct fix is to add a server-side check that verifies the user's role before processing the request. The link removal is cosmetic and does not address the underlying vulnerability."

Commonly Confused With

Broken access controlvsAuthentication bypass

Authentication bypass means the attacker never had to log in at all. Broken access control assumes the attacker is already authenticated but lacks the proper authorization. Authentication bypass is about getting through the front door without a key. Broken access control is about using the key you have to open doors you should not be able to open.

Authentication bypass: An attacker enters a URL and accesses the admin panel without logging in. Broken access control: A logged-in user with a ‘user’ role accesses the admin panel by entering the same URL.

Broken access controlvsPrivilege escalation

Privilege escalation is a type of broken access control, but broken access control is broader. Privilege escalation specifically refers to gaining higher permissions than intended (vertical escalation). Broken access control includes horizontal escalation (accessing another user’s data) and missing function-level access control.

Privilege escalation: A regular user becomes an admin. Broken access control: A regular user accesses another regular user’s private messages without elevating their role.

Broken access controlvsInsecure Direct Object Reference (IDOR)

IDOR is a specific pattern of broken access control where a user can directly access objects (like files or records) by manipulating a parameter, and the server does not verify ownership. Broken access control includes IDOR plus many other patterns, like function-level access control issues and policy misconfigurations.

IDOR: Changing a URL parameter from /user/123 to /user/456 to see another user’s profile. Other broken access control: A user with a ‘view’ role can delete a record because the delete endpoint lacks role check.

Broken access controlvsAuthorization bypass

Authorization bypass is a synonymous term often used interchangeably with broken access control, but it usually implies a deliberate exploitation of a missing or flawed authorization check. Broken access control is the state of the system; authorization bypass is the action taken by an attacker.

A system has broken access control because the admin panel does not check roles. An attacker performs an authorization bypass by navigating directly to /admin.

Step-by-Step Breakdown

1

User authentication

The user provides credentials (username and password) and the system verifies their identity. This step establishes that the user is who they claim to be. However, it does not determine what they are allowed to do.

2

Session creation

After successful authentication, the server creates a session identifier (often a cookie or a JWT) that is sent to the client. This session is used to identify the user for the duration of their interaction with the application.

3

User request to a resource or function

The user, now authenticated, makes a request to access a specific resource, such as a web page, an API endpoint, or a file. This request includes the session identifier so the server knows who made the request.

4

Server receives the request

The server receives the HTTP request. It reads the session identifier to identify the user. At this point, the server must decide whether to fulfill or deny the request.

5

Authorization check (the critical step)

The server should now perform an authorization check. It determines the user’s role and permissions (e.g., from a database or a token claim) and compares them against the required permissions for the requested resource or action. For example, if the request is to delete a user record, the server checks if the current user has a ‘delete’ permission or an ‘admin’ role.

6

Access granted or denied

If the authorization check passes, the server processes the request and returns the data or performs the action. If the check fails, the server returns an HTTP 403 Forbidden error or redirects to an error page. The response must not reveal any sensitive data if authorization fails.

7

Broken access control scenario

If the server skips the authorization check (step 5), or performs it incorrectly (e.g., using client-supplied data, or checking only at the start of the session), then access control is broken. The request is processed even though the user lacks proper permissions. This is the vulnerability.

8

Exploitation and impact

An attacker can exploit the missing or flawed check by manipulating parameters, trying different URLs, or using automated tools. The result is unauthorized access to sensitive data, unauthorized actions like data deletion or modification, or privilege escalation.

Practical Mini-Lesson

Broken access control is not just a theoretical vulnerability. It is a practical, day-to-day concern for developers, system administrators, and security professionals. To understand it in practice, you need to know how to implement proper access control in your applications and infrastructure.

Let us start with web applications. The most common pattern is to use a middleware that runs on every request. In frameworks like Express.js for Node.js, you can create a middleware function that checks if the authenticated user has the required role before proceeding to the route handler.

For example, you might define a middleware called ‘requireAdmin’ that checks if req.user.role === ‘admin’ and returns 403 if not. This middleware is then applied to any route that should be admin-only.

The same concept applies to ASP.NET Core with the [Authorize] attribute, where you can specify roles like [Authorize(Roles = “Admin”)]. The framework enforces the check before the controller action executes.

In cloud environments, access control is configured using IAM policies. For example, in AWS, you attach an IAM policy to a user, group, or role. The policy is a JSON document that specifies which actions are allowed or denied on which resources.

A common mistake is to use a wildcard (*) for actions or resources, granting too much permission. The principle of least privilege dictates that you should specify exactly the actions needed and limit the resources to those the user must interact with. For instance, a policy for a read-only user should only include ‘s3:GetObject’ and only for a specific bucket, not all buckets.

In Azure, access control is managed through RBAC. You assign a role like ‘Reader’, ‘Contributor’, or ‘Owner’ at a specific scope (management group, subscription, resource group, or resource). Custom roles can be created for fine-grained control.

You must understand the scope at which the role is assigned because a role assigned at the subscription level gives permissions to all resources in that subscription, which might be too broad. Testing for broken access control requires both automated and manual methods. Automated tools like OWASP ZAP can scan for missing access controls by trying to access restricted pages with low-privilege accounts or without authentication.

Manual testing involves analyzing the application’s functionality and trying to bypass restrictions. For example, if the application has a ‘user profile’ page at /user/profile/123, you should test if you can change the number to see another user’s profile while logged in as a different user. You should also test endpoints that perform side effects, like DELETE /user/123, to see if you can delete another user’s account.

What can go wrong? A lot. The most common mistake is dependence on client-side security. Developers sometimes hide buttons for actions that the user should not perform. But an attacker can send a direct HTTP request to the endpoint, bypassing the UI.

Another mistake is relying on the URL path alone for security, such as putting the admin panel at a different port or a hidden directory, but without server-side checks. Another issue is inconsistent authorization checks across different parts of the application. For instance, the main CRUD operations might have checks, but a special export function might be missed.

In real-world incidents, broken access control has led to massive data leaks. A notable example is the 2018 Facebook breach where attackers exploited a feature that allowed viewing the ‘View As’ page, which combined with a video uploader bug, led to an access token theft. That was a form of broken access control.

More recently, cloud storage misconfigurations continue to be a leading cause of data breaches. The lesson is clear: access control must be systematic, layered, and never rely on obscurity or client-side enforcement. As a professional, you should always assume that an attacker knows every URL and parameter.

Your only defense is a robust server-side authorization check on every single request.

Troubleshooting Clues

Missing Authentication on Admin Portal

Symptom: Users can access /admin or /dashboard without logging in; logs show 200 for anonymous requests.

The web server or application lacks authentication middleware for sensitive routes, often due to misconfigured .htaccess, nginx location blocks, or framework routing.

Exam clue: Exam scenarios describe an 'admin panel' that is publicly reachable; ask what tool (e.g., curl, burp suite) confirms it.

Privilege Escalation via Insecure Direct Object Reference (IDOR)

Symptom: Changing 'user_id=123' in API URL to 'user_id=456' returns another user's data without authorization.

The application fails to check ownership or role before serving resources; server trusts client-supplied object IDs without server-side validation.

Exam clue: Common in CISSP and Security+ questions where an attacker edits a URL parameter to access restricted data.

Cross-Tenant Data Access in Cloud Storage

Symptom: Files from Tenant A appear in Tenant B's S3 bucket listing; bucket policy has Principal '*' or uses implicit deny gaps.

A misconfigured bucket policy or IAM role allows unintended cross-account access; often due to 'Resource': '*' combined with 'Condition': absent.

Exam clue: AWS SAA exam: They provide a bucket policy with 'Principal': '*', 'Action': 's3:GetObject', ask to identify the vulnerability.

Overly Permissive IAM Role Allows Write to All Buckets

Symptom: An EC2 instance with an IAM role can delete objects from any S3 bucket in the account; logs show unintended deletions.

The IAM policy attached to the role grants 's3:*' on 'arn:aws:s3:::*', violating least privilege; no resource scoping.

Azure RBAC Contributor at Subscription Level

Symptom: A support user accidentally deleted a virtual network; they have Contributor role on the entire subscription.

Contributor role allows write/delete on all resources except RBAC assignments; scope too broad for a support role.

Exam clue: AZ-104 question: 'User needs to manage resources in one resource group only.' Correct answer: assign Contributor at resource group scope, not subscription.

Kubernetes ClusterRoleBinding to Non-Admin User

Symptom: Developer 'dev-user' can delete pods in production namespace; has cluster-admin binding.

ClusterRoleBinding applies cluster-wide permissions; binding cluster-admin to a developer bypasses namespace-level isolation.

Exam clue: Security+ and CySA+ exams present a YAML manifest with 'ClusterRoleBinding' and 'cluster-admin' for a service account; ask to identify the flaw.

Unrestricted HTTP Method on REST API

Symptom: An API endpoint meant for read (GET) also accepts PUT or DELETE requests without authentication, allowing data modification.

Lack of HTTP method validation or role-based checks; e.g., /api/users accepts DELETE with no auth check.

Exam clue: CISSP test: 'Which HTTP method should be disabled on a read-only endpoint?' Answer: PUT, POST, DELETE if not needed.

Missing MFA Enforcement for Privileged Accounts

Symptom: An admin with global admin rights logs in from a suspicious IP with just password; audit logs show no MFA challenge.

Conditional access policies or IAM policies lack MFA requirement for high-privilege roles.

Exam clue: MS-102 and SC-900 exams: Look for 'Require MFA' conditional access policy not applied to 'Global Administrator' role.

Memory Tip

Think 'ABC': Always Be Checking on the server side. Authentication gets you in, but Authorization holds the line on every request.

Learn This Topic Fully

This glossary page explains what Broken access control means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Quick Knowledge Check

1.An S3 bucket policy includes: 'Effect': 'Allow', 'Principal': '*', 'Action': 's3:GetObject', 'Resource': 'arn:aws:s3:::my-bucket/*'. Which access control vulnerability does this introduce?

2.An Azure user has Contributor role on Subscription A. They can perform which action that violates least privilege?

3.A Kubernetes YAML defines a ClusterRoleBinding to the 'cluster-admin' ClusterRole for a developer's service account. What is the broken access control issue?

4.An API endpoint /api/orders returns order details. An attacker changes orderId=123 to orderId=456 and sees another user's order. This is an example of:

5.An admin discovers a web server has /admin accessible without authentication. Which nginx directive is likely missing from the config?

6.A user with IAM role attached to EC2 can list objects in all S3 buckets. The policy has 'Action': 's3:ListBucket', 'Resource': '*'. What is the insecure element?