OWASP Top 10 #1: Understanding Broken Access Control (Beginner's Guide)
Disclaimer: I'm currently learning web security through OWASP and PortSwigger Web Security Academy. These are my beginner-friendly notes rewritten as a blog to help reinforce my understanding. If you're just starting out, I hope this makes the topic easier to understand. What you'll learn: In this article you'll learn: ✔ What Broken Access Control is ✔ Vertical Privilege Escalation ✔ Security by Obscurity ✔ Parameter-Based Access Control ✔ Platform Misconfiguration ✔ Horizontal → Vertical Escalation ✔ IDOR ✔ Lessons learned from PortSwigger labs Concept Map: What is Broken Access Control? Broken Access Control happens when a user is able to access data, pages, or perform actions that they are not supposed to . Why should you care? Broken Access Control has ranked #1 in the OWASP Top 10 (2021) because it can expose sensitive data, allow privilege escalation, and let attackers perform actions they should never be able to perform. Think of a website with two types of users: Normal User Admin A normal user should only be able to view their own profile and perform basic actions. An admin, however, can manage users, delete accounts, change settings, etc. If a normal user somehow gains access to those admin features, that's Broken Access Control . In interview terms: Broken Access Control is the failure to properly enforce authorization, allowing users to perform actions beyond their intended permissions. 1. Vertical Privilege Escalation Vertical Privilege Escalation means moving up the permission hierarchy. Example: Normal User ↓ Admin A normal user should never be able to become an administrator. 1.1 Unprotected Functionality One of the simplest forms of Broken Access Control is Unprotected Functionality . Imagine a website has an admin page: /admin The developer removes the Admin button from the normal user's dashboard. Problem solved? No. If a user manually visits: /admin and the server doesn't verify whether they're actually an admin, the page opens. The mistake here