OWASP #1 (2021) – Broken Access Control

Broken Access Control means the application doesn’t correctly enforce who is allowed to do what. It’s not about logging in - it’s about what users can access after they’re logged in.

This issue occurs when users can access data or perform actions outside their role or intended scope. For example: - A normal user viewing another user's private data by changing an ID in the URL. - Gaining access to admin functions by guessing or modifying a request. - Frontend controls hiding certain actions, but the backend still accepts and processes them.

These bugs are dangerous because they often expose sensitive data or allow privilege escalation. OWASP ranked this #1 in 2021 because it's both common and severe.

Fixing this means building proper checks into the server-side logic - never relying on frontend controls like hidden buttons or disabled fields. Key prevention techniques include: - Enforcing access rules on every request. - Using server-side role or ownership checks. - Denying by default: if the system isn’t sure the user is allowed, block the request.

Broken Access Control isn’t always obvious. It usually requires careful thinking about trust boundaries, permissions, and what the system should allow - not just what it does by default.