Broken Access Control: Understanding and Exploiting Access Control Vulnerabilities

• Virtual Cyber Labs
• 14 Feb, 2025
• 0 Comments
• 4 Mins Read

Broken Access Control: Understanding and Exploiting Access Control Vulnerabilities

Introduction

Access control is a fundamental security measure that ensures users can only access resources and functionalities permitted to them. Broken Access Control occurs when these restrictions fail, allowing unauthorized access to sensitive data, actions, or administrative features. According to the OWASP Top 10, Broken Access Control is one of the most critical security vulnerabilities.

In this blog, we will cover:

• What is Broken Access Control?
• How it happens and common attack techniques
• Real-world examples and practical demonstrations
• Prevention and mitigation techniques

What is Broken Access Control?

Access control governs how users interact with an application’s resources based on their roles and permissions. When access control is weak or misconfigured, attackers can manipulate the system to gain unauthorized privileges, potentially leading to data breaches, account takeovers, and system compromises.

Common Access Control Flaws

• Horizontal Privilege Escalation – A normal user accesses another user’s data (e.g., modifying a request to access another user’s profile).
• Vertical Privilege Escalation – A low-privileged user performs admin actions (e.g., changing user roles via API requests).
• Bypassing Authentication – Accessing protected resources without login.
• Unrestricted File Access – Directly accessing sensitive files without authorization.
• Force Browsing – Manually modifying URLs to access unauthorized resources.

Practical Demonstrations of Broken Access Control

Let’s explore some hands-on attack scenarios where we exploit access control vulnerabilities.

1. Horizontal Privilege Escalation (User A Accesses User B’s Data)

Scenario: A user can access another user’s profile by modifying the User ID in the URL.

Example:

https://example.com/profile?user=123  --> Accessing User 123's profile
https://example.com/profile?user=456  --> Accessing User 456's profile (without permission!)

Steps to Exploit:

1. Log in as User A.
2. Capture the request using Burp Suite.
3. Modify the user parameter to another user’s ID.
4. Observe the response and check if the other user’s data is accessible.

Mitigation: Implement proper authorization checks at the backend by verifying if the logged-in user has access to the requested data.

---

2. Vertical Privilege Escalation (Gaining Admin Privileges)

Scenario: A user can escalate privileges by modifying role parameters in API requests.

Example: Changing a user’s role via API manipulation.

PUT /api/user/updateRole
{
  "user_id": "123",
  "role": "admin"
}

Steps to Exploit:

1. Capture the API request while updating user details.
2. Modify the role from user to admin.
3. Send the request and check if the role changes.
4. If successful, log in again and access admin functionalities.

Mitigation:

• Implement server-side role validation.
• Use Role-Based Access Control (RBAC).
• Restrict privilege-changing APIs to admins only.

---

3. Direct Object Reference (IDOR) Attack

Scenario: A user accesses another user’s sensitive files by modifying file paths or IDs.

Example: Accessing another user’s invoice file.

https://example.com/invoices/12345.pdf  --> User's invoice
https://example.com/invoices/67890.pdf  --> Another user's invoice (without authorization!)

Steps to Exploit:

1. Locate an endpoint that serves files.
2. Change the file ID to another valid ID.
3. Check if the unauthorized file is accessible.

Mitigation:

• Enforce strict file access control policies.
• Use session-based access validation.
• Implement proper user ID verification at the backend.

---

4. Unauthorized API Access

Scenario: An attacker accesses restricted APIs by directly calling them.

Example: Hidden API endpoints that allow modifying user roles.

POST /api/admin/createUser
{
  "username": "hacker",
  "role": "admin"
}

Steps to Exploit:

1. Use tools like Postman or Burp Suite to explore API endpoints.
2. Identify endpoints that lack authentication.
3. Send unauthorized requests and observe if they execute successfully.

Mitigation:

• Use proper API authentication mechanisms (JWT, OAuth, etc.).
• Implement whitelisting and access control checks.
• Disable unnecessary API endpoints.

Real-World Examples of Broken Access Control

1. Facebook User Data Leak (2021)

Attackers exploited access control flaws in Facebook’s API, allowing them to scrape personal data from 500 million users.

2. Instagram Password Reset Flaw

A vulnerability allowed attackers to change any user’s password using a brute-force attack on the password reset endpoint.

3. Tesla API Misconfiguration

An unprotected API allowed hackers to remotely control Tesla vehicles, showcasing the severity of Broken Access Control.

How to Prevent Broken Access Control?

1. Implement Role-Based Access Control (RBAC)

Assign specific roles and permissions to users and ensure backend checks prevent privilege escalation.

2. Enforce Strong Authorization Mechanisms

Use session-based authentication and validate user permissions on every request.

3. Secure API Endpoints

• Restrict admin APIs to authorized users.
• Implement JWT authentication.
• Use API rate limiting to prevent abuse.

4. Input Validation and Parameter Checks

Ensure that users can only request data they own. Validate user IDs, object references, and access tokens.

5. Monitor and Audit Access Logs

Regularly monitor logs to detect unauthorized access attempts and implement intrusion detection mechanisms.

6. Conduct Regular Security Testing

• Perform Automated Scans using OWASP ZAP, Burp Suite.
• Conduct Penetration Testing.
• Implement Bug Bounty Programs

Conclusion

Broken Access Control is a serious security flaw that can lead to unauthorized access, data leaks, and system compromises. Attackers can exploit poorly implemented access control mechanisms to elevate privileges, access sensitive files, or perform admin actions.

By understanding common attack techniques and implementing proper security measures, developers and security professionals can effectively mitigate these risks and protect applications from unauthorized access.

Want to test your application for Broken Access Control vulnerabilities? Start by using Burp Suite, Postman, and OWASP ZAP to analyze API requests and identify weak access controls!

Don’t miss out! Check out our latest blogs for bug bounty hunters:

• SQL Injection: A Bug Hunter’s Guide
• HTML Injection: A Comprehensive Guide
• Bug Bounty Hunting in 2025