Broken Access Control

Last Updated : 4 May, 2026

Broken Access Control is an important web security vulnerability that occurs when an application fails to properly enforce user permissions. This allows attackers to access, modify or perform actions on resources they should not be authorized to use. An attacker can do

  • Viewing or modifying other users accounts.
  • Accessing sensitive data (like personal details or financial info).
  • Performing admin-level functions without authorization.

Example: If a normal user can change the URL from /user/profile/101 to /user/profile/102 and access another person’s profile without authorization, it indicates a Broken Access Control vulnerability. This is considered one of the most critical web vulnerabilities as it can lead to data exposure, privilege escalation and even complete account takeover.

if_the_user_is_authenticated_and_authorized_access_is_granted
Brocken Access

Types of Access Control Vulnerabilities

We can split access control vulnerabilities mainly into three categories:

1. Horizontal privilege escalation

Occurs when users gain access to data or functionality belonging to other users who have the same level of permissions.

Example: When you log into your social media account, you are allowed to see your content and make changes to it, but you are not allowed to get access to other users' accounts. However, things could go wrong if access control is flawed.

2. Vertical privilege escalation

This happens when a lower-privileged user (e.g., a regular user) is able to access data or perform actions reserved for higher-privileged roles (e.g., admins).

Example: To perform certain functions and reach certain resources, a user needs to have admin privileges, a regular user doesn't have such privileges. Broken vertical access controls let attackers get access to those functionalities.

3. Context-dependent privilege escalation

This takes place when a user, due to being in a specific context (such as a certain page, workflow or state), gains higher privileges than intended.

Example: Imagine an e-commerce website, A customer should only be able to add items to their own cart. But due to a flaw, if they change the cart ID in the request while on the "checkout" page, they can view or modify someone else’s cart.

Hand On lab For broken Access Control

Given below the step by step hands-on lab of broken access control

Step 1. Access the Lab

Open PortSwigger Academy

file
file

Step 2: Launch Burp Suite

Launch community edition for free

file
BurpSuite

Step 3: set up FoxyProxy extension to route traffic through Burp

file
FoxyProxy

Step 4: Configure the Lab

  • Click on Home. It just redirects back to the main page.
file
Lab
  • Click on My Account. It shows the login page (but no direct admin option is visible).
file
Login Page

Step 5: Discover the Admin Panel

  • Try accessing common admin panel paths in the URL:

Command:

/admin
/admin-panel
/administrator
/administrator-panel

URL Path:

https://0a8c003f03363823818d66c100140038.web-security-academy.net/administrator-panel
file
  • You’ll notice that /administrator-panel is accessible without authentication or restrictions.

Step 6: Access the Admin Panel

Open the page.

file
Page
  • The panel loads successfully, confirming the broken access control flaw.

Step 7: Delete the Target User

  • Inside the admin panel, look for the “Delete user” function.
  • Select the user carlos.
file
Delete Target User
  • Confirm deletion.
  • The lab should now display the message
file
Confirmation Lab

Impacts of broken access control

The following are the major impacts of broken access control

1. Unique User IDs and Your Data

Whenever we create an account on a website, the system assigns us a unique user ID. This ID is used to identify us and retrieve our personal data from the database.

Example: If your user ID is 986, your profile page URL might look like this: "https://brokenaccesscontrol.com/profile?id=986" Now, just like you, every other user also has their own unique ID. If the website does not enforce proper access control, you could change the number in the URL (for example, from 986 to 987) and view another user’s profile.

2. Exploiting Weak Access Controls

Hackers can exploit broken access control flaws to reach resources and services that should only be available to authorized users.

Example: The admin page of a web application should only be accessible to administrators. Regular users should never be able to reach it. Once inside, they could steal sensitive user data, delete or modify accounts, deploy malicious payloads that could compromise or even destroy the entire application and its hosting environment

Example Attack Scenarios

Here are two example attack scenarios that demonstrate how Broken Access Control can be exploited.

Scenario 1: Accessing another user’s account through URL parameters

Some applications directly use the data a user provides in a request without verifying it.

For example:

pstmt.setString(1, request.getParameter("acct"));
ResultSet results = pstmt.executeQuery();
  • If you’re logged in and your account number is in the URL, like this:
https://example.com/app/accountInfo?acct=12345
  • An attacker could simply change the number (acct=67890) to try and view someone else’s account information.

Scenario 2: Accessing restricted admin pages

Websites often have different sections for different types of users, like regular users and administrators. For example:

  • Regular user page:
https://example.com/app/getAppInfo
  • Admin-only page:
https://example.com/app/admin_getAppInfo

If the website doesn’t block unauthorized access, an attacker (or even a logged-in normal user) could try typing the admin page URL directly into the browser.

Comment
Article Tags:
Cybersecurity

Explore