What is broken access control?

Broken Access Control is the security weakness where an application fails to properly enforce what authenticated users are allowed to do. It's the #1 risk on the OWASP Top 10. It covers any case where a user can act outside their intended permissions: reading another user's data (IDOR/BOLA), accessing admin functions as a regular user (privilege escalation), or modifying fields they shouldn't. The root cause is missing or incorrect authorization checks.

How do you prevent broken access control?

Deny by default and grant explicitly; enforce authorization on the server for every request, not in the UI; centralize access-control logic in one policy layer instead of scattered per-endpoint checks; scope every data query to the current user; apply least privilege; and test by trying to access resources and functions as a lower-privileged or different user.

Broken Access Control (OWASP A01): What It Is & Fixes (2026)

Broken Access Control is the #1 risk on the OWASP Top 10 — and for good reason. Authentication asks "who are you?" Access control asks "are you allowed to do this?" When the second check is missing or wrong, users can step outside their permissions, and that's where most serious breaches come from.

What it covers

Broken Access Control is a category, not a single bug. Its common forms:

Form	What it looks like
Horizontal (IDOR/BOLA)	Access another user's data by changing an ID — see IDOR
Vertical (privilege escalation)	A regular user reaches admin-only functions
Missing function-level checks	Hidden admin endpoints reachable by anyone who knows the URL
Property-level (mass assignment)	Setting fields you shouldn't (`role: admin`) via the API
Metadata tampering	Editing a JWT, cookie, or hidden field to elevate access
CORS misconfiguration	Allowing untrusted origins to make authenticated requests

Why it's so common

Access control is everywhere — every endpoint, every action — so it's easy to miss one. And it's invisible in normal use: the app works perfectly for a user with the right permissions. The gap only shows when someone tries something they shouldn't, which is exactly what attackers do and developers don't.

How to prevent it

Deny by default. No access unless explicitly granted — for every resource and function.
Enforce on the server. Hiding a button isn't access control; the API must reject the request itself.
Centralize the logic. One policy/middleware layer the whole app shares beats per-route checks you'll forget.
Scope every query to the user. Fetch by ID and owner together.
Least privilege. Give each role the minimum it needs; protect admin functions explicitly.
Test as the wrong user. Try every sensitive action as a lower-privileged account — it should fail.

Catch the gaps you can't see

You can't manually test every object and function across a whole app. Nurbak scans your deployed app for broken access control, missing auth and the rest of the API security checklist — surfacing the unguarded endpoint before it becomes an incident.

Broken Access Control: OWASP's #1 Risk, Explained

What it covers

Why it's so common

How to prevent it

Catch the gaps you can't see

Related articles

Fabian Delgado

Ready to try it?

What it covers

Why it's so common

How to prevent it

Catch the gaps you can't see

Related articles

Fabian Delgado

Ready to try it?

Read Next

SSRF (Server-Side Request Forgery): What It Is and How to Prevent It

Open Redirect Vulnerability: What It Is and How to Fix It

IDOR Vulnerability: What It Is and How to Prevent It