Web Application Security · intermediate · ~12 min
Find missing authorization, especially IDOR, and state the correct fix.
Broken access control (OWASP #1) is missing server-side authorization. IDOR is the classic form: change an object ID in a request and receive another user's data. Vertical escalation and forced browsing are siblings. Fix: per-request, per-object server-side checks, deny by default.
Access-control flaws are the most common and impactful web bugs — direct data exposure and privilege escalation with no exploit chain needed, just an altered request. They're high-value and frequently missed.
IDOR. Trusted object ID → access others' data. Vertical escalation. Reaching admin functions as a normal user. Forced browsing. Requesting unlinked URLs. Test. Swap IDs, hit admin endpoints. Fix. Server-side per-object authZ, deny by default.
Broken access control — the app failing to enforce what a user may do — is consistently the #1 web risk (OWASP Top 10 A01).
The classic case: the app exposes a record by an ID and trusts the ID without checking ownership.
GET /api/invoices/1001 ← yours
GET /api/invoices/1002 ← someone else's — and it returns it
Change the identifier, get another user's data. IDs in URLs, body fields, and cookies are all candidates. Predictable IDs make it trivial; even UUIDs are vulnerable if leaked or enumerable.
/admin, an admin-only API) that are merely hidden, not protected.For every object reference and privileged action, ask: does the server verify THIS user may access THIS object? Try another user's IDs; try admin endpoints as a low-priv user.
Enforce authorization server-side on every request, checking the authenticated user against the specific object/action — never rely on hidden UI, obscure IDs, or client checks. Deny by default.
Broken access control — especially IDOR — is the top web risk: the app trusts an identifier or hides a function instead of checking permission. The only fix is server-side authorization on every object and action.