Coders Conquer Security: Share & Learn Series - Broken Access Control
When you build a business application, whether for internal use or external use by your customers, you probably don't let every user perform every single function. If you do, you may be vulnerable to broken access control.
Let's take a look at what broken access control is, why it's so dangerous, and how to fix it.
Understand Broken Access Control
Broken access control occurs when application code does not have the proper security or access checks in place. It can also occur when an application is misconfigured in some way, allowing access to functions or pages to which the user should not have access.
If you handle the finances of your company, you may have access to deposit money into certain accounts or transfer money between your company's accounts. However, you shouldn't have access to withdraw cash from those accounts or transfer money to other accounts. If the proper access checks are not present, then your employees may be able to perform more functions than necessary.
These checks can either be done within the code or in configuration files. For example, there may be XML configuration files that tell the web application framework which users are allowed to access which pages. This ensures that users can only access the functions they are authorized to use.
Why Broken Access Control is Dangerous
Consider this example: An attacker has realized that your user account creation code can be manipulated, allowing the attacker to create an admin user with a simple post request. They can send a request with the username and password, and then change it en route to include the role of admin in the URL as a parameter, or in the body of the request. The attacker logs into the application and is instantly given administrator rights.
It doesn't always have to be a malicious attacker penetrating a system. Without proper access controls, sensitive information that shouldn't be shared between departments may leak out. Imagine if any employee in the company could see HR payroll data or financial data. What would happen if any employee could see that layoffs are coming because of the poor financial situation of the company? This could be damaging to your morale and your company's reputation.
Sensitive information of customers could also be lost. Companies often store personal information of customers that use their services. Be careful not to accidentally expose this because of a lack of access control. For example, if your system gives users the ability to request their health record, do they also have the ability to request and see the health information of others? If the URL contains a customer ID number, attackers could increment that customer ID number over and over again until they find one that matches another customer, thus revealing their personal data.
Defeat Broken Access Control
Role-based access control (RBAC) is a very effective tool for implementing sound access control. Those using Active Directory may be familiar with the idea of creating groups and giving access to certain items across the group, instead of to the individual. Applications work the same way, using roles to define who is allowed to see what.
This has two advantages. First, a function doesn't have to be changed when somebody leaves the administrator role. If somebody was previously an administrator and now no longer should be, then you simply place a new person into the administrator role and remove the previous person from the role. The code checks to see if the user has the administrator role instead of checking to see if each individual user has access to a certain page or function.
The second benefit is avoiding a maintenance nightmare. Access control that is so granular that every person has associations with every single possible function or page will be impossible to manage over time. Roles make things much easier, because multiple people can be added to a role. One role may include the entire company, while another may have only five people. This makes managing the roles more efficient, as there will be fewer roles to manage. A company of 10,000 people could have only 100 roles instead of 10,000 times the number of functions in your application. Research your chosen application framework to see what options exist for robust access control.
It is also critical to use function-level access control. Protect access to all functions by requiring users to pass certain access control checks. Use the principle of least privilege, denying access by default and only opening access on an as-needed basis. It can be difficult to remember to implement access control for each function. Use a central component to manage and enforce access control.
Protect Your Sensitive Functions
Broken access control can leave your data and your application wide open for attack and exploitation. Customer data that is not protected properly could lead to a massive data breach, hurting your reputation and your revenue.
Broken access control could also lead to account takeover if attackers are able to access functionality they shouldn't access. Use proper functional level access control and you'll keep your application safe from malicious attackers, and even accidental insiders.
Think you're all over functional level access? You can challenge yourself to repair broken access control now: [Start Here]
When you build a business application, whether for internal use or external use by your customers, you probably don't let every user perform every single function. If you do, you may be vulnerable to broken access control.
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoJaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
When you build a business application, whether for internal use or external use by your customers, you probably don't let every user perform every single function. If you do, you may be vulnerable to broken access control.
Let's take a look at what broken access control is, why it's so dangerous, and how to fix it.
Understand Broken Access Control
Broken access control occurs when application code does not have the proper security or access checks in place. It can also occur when an application is misconfigured in some way, allowing access to functions or pages to which the user should not have access.
If you handle the finances of your company, you may have access to deposit money into certain accounts or transfer money between your company's accounts. However, you shouldn't have access to withdraw cash from those accounts or transfer money to other accounts. If the proper access checks are not present, then your employees may be able to perform more functions than necessary.
These checks can either be done within the code or in configuration files. For example, there may be XML configuration files that tell the web application framework which users are allowed to access which pages. This ensures that users can only access the functions they are authorized to use.
Why Broken Access Control is Dangerous
Consider this example: An attacker has realized that your user account creation code can be manipulated, allowing the attacker to create an admin user with a simple post request. They can send a request with the username and password, and then change it en route to include the role of admin in the URL as a parameter, or in the body of the request. The attacker logs into the application and is instantly given administrator rights.
It doesn't always have to be a malicious attacker penetrating a system. Without proper access controls, sensitive information that shouldn't be shared between departments may leak out. Imagine if any employee in the company could see HR payroll data or financial data. What would happen if any employee could see that layoffs are coming because of the poor financial situation of the company? This could be damaging to your morale and your company's reputation.
Sensitive information of customers could also be lost. Companies often store personal information of customers that use their services. Be careful not to accidentally expose this because of a lack of access control. For example, if your system gives users the ability to request their health record, do they also have the ability to request and see the health information of others? If the URL contains a customer ID number, attackers could increment that customer ID number over and over again until they find one that matches another customer, thus revealing their personal data.
Defeat Broken Access Control
Role-based access control (RBAC) is a very effective tool for implementing sound access control. Those using Active Directory may be familiar with the idea of creating groups and giving access to certain items across the group, instead of to the individual. Applications work the same way, using roles to define who is allowed to see what.
This has two advantages. First, a function doesn't have to be changed when somebody leaves the administrator role. If somebody was previously an administrator and now no longer should be, then you simply place a new person into the administrator role and remove the previous person from the role. The code checks to see if the user has the administrator role instead of checking to see if each individual user has access to a certain page or function.
The second benefit is avoiding a maintenance nightmare. Access control that is so granular that every person has associations with every single possible function or page will be impossible to manage over time. Roles make things much easier, because multiple people can be added to a role. One role may include the entire company, while another may have only five people. This makes managing the roles more efficient, as there will be fewer roles to manage. A company of 10,000 people could have only 100 roles instead of 10,000 times the number of functions in your application. Research your chosen application framework to see what options exist for robust access control.
It is also critical to use function-level access control. Protect access to all functions by requiring users to pass certain access control checks. Use the principle of least privilege, denying access by default and only opening access on an as-needed basis. It can be difficult to remember to implement access control for each function. Use a central component to manage and enforce access control.
Protect Your Sensitive Functions
Broken access control can leave your data and your application wide open for attack and exploitation. Customer data that is not protected properly could lead to a massive data breach, hurting your reputation and your revenue.
Broken access control could also lead to account takeover if attackers are able to access functionality they shouldn't access. Use proper functional level access control and you'll keep your application safe from malicious attackers, and even accidental insiders.
Think you're all over functional level access? You can challenge yourself to repair broken access control now: [Start Here]
When you build a business application, whether for internal use or external use by your customers, you probably don't let every user perform every single function. If you do, you may be vulnerable to broken access control.
Let's take a look at what broken access control is, why it's so dangerous, and how to fix it.
Understand Broken Access Control
Broken access control occurs when application code does not have the proper security or access checks in place. It can also occur when an application is misconfigured in some way, allowing access to functions or pages to which the user should not have access.
If you handle the finances of your company, you may have access to deposit money into certain accounts or transfer money between your company's accounts. However, you shouldn't have access to withdraw cash from those accounts or transfer money to other accounts. If the proper access checks are not present, then your employees may be able to perform more functions than necessary.
These checks can either be done within the code or in configuration files. For example, there may be XML configuration files that tell the web application framework which users are allowed to access which pages. This ensures that users can only access the functions they are authorized to use.
Why Broken Access Control is Dangerous
Consider this example: An attacker has realized that your user account creation code can be manipulated, allowing the attacker to create an admin user with a simple post request. They can send a request with the username and password, and then change it en route to include the role of admin in the URL as a parameter, or in the body of the request. The attacker logs into the application and is instantly given administrator rights.
It doesn't always have to be a malicious attacker penetrating a system. Without proper access controls, sensitive information that shouldn't be shared between departments may leak out. Imagine if any employee in the company could see HR payroll data or financial data. What would happen if any employee could see that layoffs are coming because of the poor financial situation of the company? This could be damaging to your morale and your company's reputation.
Sensitive information of customers could also be lost. Companies often store personal information of customers that use their services. Be careful not to accidentally expose this because of a lack of access control. For example, if your system gives users the ability to request their health record, do they also have the ability to request and see the health information of others? If the URL contains a customer ID number, attackers could increment that customer ID number over and over again until they find one that matches another customer, thus revealing their personal data.
Defeat Broken Access Control
Role-based access control (RBAC) is a very effective tool for implementing sound access control. Those using Active Directory may be familiar with the idea of creating groups and giving access to certain items across the group, instead of to the individual. Applications work the same way, using roles to define who is allowed to see what.
This has two advantages. First, a function doesn't have to be changed when somebody leaves the administrator role. If somebody was previously an administrator and now no longer should be, then you simply place a new person into the administrator role and remove the previous person from the role. The code checks to see if the user has the administrator role instead of checking to see if each individual user has access to a certain page or function.
The second benefit is avoiding a maintenance nightmare. Access control that is so granular that every person has associations with every single possible function or page will be impossible to manage over time. Roles make things much easier, because multiple people can be added to a role. One role may include the entire company, while another may have only five people. This makes managing the roles more efficient, as there will be fewer roles to manage. A company of 10,000 people could have only 100 roles instead of 10,000 times the number of functions in your application. Research your chosen application framework to see what options exist for robust access control.
It is also critical to use function-level access control. Protect access to all functions by requiring users to pass certain access control checks. Use the principle of least privilege, denying access by default and only opening access on an as-needed basis. It can be difficult to remember to implement access control for each function. Use a central component to manage and enforce access control.
Protect Your Sensitive Functions
Broken access control can leave your data and your application wide open for attack and exploitation. Customer data that is not protected properly could lead to a massive data breach, hurting your reputation and your revenue.
Broken access control could also lead to account takeover if attackers are able to access functionality they shouldn't access. Use proper functional level access control and you'll keep your application safe from malicious attackers, and even accidental insiders.
Think you're all over functional level access? You can challenge yourself to repair broken access control now: [Start Here]
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoJaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
When you build a business application, whether for internal use or external use by your customers, you probably don't let every user perform every single function. If you do, you may be vulnerable to broken access control.
Let's take a look at what broken access control is, why it's so dangerous, and how to fix it.
Understand Broken Access Control
Broken access control occurs when application code does not have the proper security or access checks in place. It can also occur when an application is misconfigured in some way, allowing access to functions or pages to which the user should not have access.
If you handle the finances of your company, you may have access to deposit money into certain accounts or transfer money between your company's accounts. However, you shouldn't have access to withdraw cash from those accounts or transfer money to other accounts. If the proper access checks are not present, then your employees may be able to perform more functions than necessary.
These checks can either be done within the code or in configuration files. For example, there may be XML configuration files that tell the web application framework which users are allowed to access which pages. This ensures that users can only access the functions they are authorized to use.
Why Broken Access Control is Dangerous
Consider this example: An attacker has realized that your user account creation code can be manipulated, allowing the attacker to create an admin user with a simple post request. They can send a request with the username and password, and then change it en route to include the role of admin in the URL as a parameter, or in the body of the request. The attacker logs into the application and is instantly given administrator rights.
It doesn't always have to be a malicious attacker penetrating a system. Without proper access controls, sensitive information that shouldn't be shared between departments may leak out. Imagine if any employee in the company could see HR payroll data or financial data. What would happen if any employee could see that layoffs are coming because of the poor financial situation of the company? This could be damaging to your morale and your company's reputation.
Sensitive information of customers could also be lost. Companies often store personal information of customers that use their services. Be careful not to accidentally expose this because of a lack of access control. For example, if your system gives users the ability to request their health record, do they also have the ability to request and see the health information of others? If the URL contains a customer ID number, attackers could increment that customer ID number over and over again until they find one that matches another customer, thus revealing their personal data.
Defeat Broken Access Control
Role-based access control (RBAC) is a very effective tool for implementing sound access control. Those using Active Directory may be familiar with the idea of creating groups and giving access to certain items across the group, instead of to the individual. Applications work the same way, using roles to define who is allowed to see what.
This has two advantages. First, a function doesn't have to be changed when somebody leaves the administrator role. If somebody was previously an administrator and now no longer should be, then you simply place a new person into the administrator role and remove the previous person from the role. The code checks to see if the user has the administrator role instead of checking to see if each individual user has access to a certain page or function.
The second benefit is avoiding a maintenance nightmare. Access control that is so granular that every person has associations with every single possible function or page will be impossible to manage over time. Roles make things much easier, because multiple people can be added to a role. One role may include the entire company, while another may have only five people. This makes managing the roles more efficient, as there will be fewer roles to manage. A company of 10,000 people could have only 100 roles instead of 10,000 times the number of functions in your application. Research your chosen application framework to see what options exist for robust access control.
It is also critical to use function-level access control. Protect access to all functions by requiring users to pass certain access control checks. Use the principle of least privilege, denying access by default and only opening access on an as-needed basis. It can be difficult to remember to implement access control for each function. Use a central component to manage and enforce access control.
Protect Your Sensitive Functions
Broken access control can leave your data and your application wide open for attack and exploitation. Customer data that is not protected properly could lead to a massive data breach, hurting your reputation and your revenue.
Broken access control could also lead to account takeover if attackers are able to access functionality they shouldn't access. Use proper functional level access control and you'll keep your application safe from malicious attackers, and even accidental insiders.
Think you're all over functional level access? You can challenge yourself to repair broken access control now: [Start Here]
Table of contents
Jaap Karan Singh is a Secure Coding Evangelist, Chief Singh and co-founder of Secure Code Warrior.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Resources to get you started
10 Key Predictions: Secure Code Warrior on AI & Secure-by-Design’s Influence in 2025
Organizations are facing tough decisions on AI usage to support long-term productivity, sustainability, and security ROI. It’s become clear to us over the last few years that AI will never fully replace the role of the developer. From AI + developer partnerships to the increasing pressures (and confusion) around Secure-by-Design expectations, let’s take a closer look at what we can expect over the next year.
OWASP Top 10 For LLM Applications: What’s New, Changed, and How to Stay Secure
Stay ahead in securing LLM applications with the latest OWASP Top 10 updates. Discover what's new, what’s changed, and how Secure Code Warrior equips you with up-to-date learning resources to mitigate risks in Generative AI.
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.