skip to content
Niyar Dutta
Table of Contents

What is Broken Access Control?

Broken Access Control (BAC) occurs when restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality or data.

Common Types of Broken Access Control

1. Insecure Direct Object Reference (IDOR)

  • Exploiting predictable URLs or parameters to access unauthorized data.
  • Example:
GET /user/profile/123

Attacker modifies 123 to 124 to access another user’s profile without authorization.

Another example:

Terminal window
GET /api/v1/invoices/56789

User sees someone else’s invoice by guessing the ID.

2. Vertical Privilege Escalation

  • A user gains higher privilege functions (e.g., normal user becoming admin).
  • Example:
Terminal window
POST /admin/promoteUser HTTP/1.1
Content-Type: application/json


{
  "userId": "123"
}

A low-privilege user calls an admin-only endpoint by guessing the path.

3. Horizontal Privilege Escalation

  • A user accesses another user’s resources at the same privilege level.
  • Example:
Terminal window
GET /account/settings/1033

User changes 1033 to 1034 to access another user’s settings page.

4. Forced Browsing

  • Accessing restricted endpoints without being logged in or authorized.
  • Example:

Trying to access /admin-dashboard manually by typing in URL bar:

https://target.com/admin-dashboard

Despite no menu or link being shown in the UI, if the server doesn’t enforce checks, it allows access.

5. Missing Function-Level Access Control

  • Backend APIs don’t verify user roles before executing sensitive actions.
  • Example:

The frontend hides a “Delete User” button from normal users, but the backend accepts:

Terminal window
POST /admin/deleteUser

If there’s no role check in the backend, anyone can execute the request via curl or Burp.

How to Test for BAC Vulnerabilities

  • Use Burp Suite or Postman to intercept and replay requests with modified roles or IDs.
  • Change user IDs or resource IDs and see if data leaks.
  • Bypass frontend checks by using developer tools or directly hitting backend APIs.

Always test only within allowed scope and with accounts you control. Do not access real user data without permission.

Real-World Examples

  • Facebook Bug: Allowed users to delete any photo from any account by tampering with photo ID in request.
  • Uber Bug: Exposed ride history of other users due to missing access checks.
  • Tesla Bug: Allowed unauthorized software upgrades in vehicles through insecure API access.

Mitigations

  • Enforce access control at the backend, not just UI.
  • Use role-based access control (RBAC) or attribute-based access control (ABAC).
  • Always verify that users are authorized before processing sensitive actions.
  • Use secure design patterns like deny-by-default.

TL;DR

TypeDescription
IDORChanging URL IDs to access others’ data
Vertical EscalationNormal user performs admin actions
Horizontal EscalationUser accesses another user’s resources
Forced BrowsingAccessing hidden paths without auth
Missing Function ChecksNo backend checks for sensitive features