CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Broken Access Control

security CWE-284 OWASP A1:2021 CVSS 8.8 PHP 5.0+ Intermediate

Also Known As

BAC access control failure authorisation bypass

TL;DR

Failure to enforce what authenticated users are allowed to do — the #1 OWASP vulnerability, enabling privilege escalation and data exposure.

Explanation

Broken access control covers: horizontal escalation (accessing another user's data by changing an ID), vertical escalation (accessing admin functions as a regular user), missing function-level checks (assuming UI hiding is sufficient), insecure direct object references (IDOR), CORS misconfigurations, and JWT tampering. In PHP applications, enforce access checks server-side on every request — never rely on hidden form fields, client-side role checks, or obscure URLs. Centralise authorisation logic in a dedicated gate or policy class rather than sprinkling ad-hoc checks throughout controllers.

How It's Exploited

A user changes /api/invoices/1001 to /api/invoices/1002 and receives another customer's invoice because the controller queries by ID without checking ownership.

Diagram 

flowchart TD
    USER[Logged-in User<br/>Role: viewer] -->|GET /api/users/42| APP[Application]
    APP -->|Check permission?| CHECK{Authorization
check}
    CHECK -->|No check!| DB[(Database<br/>returns any user)]
    DB --> LEAK[Data exposed<br/>IDOR vulnerability]
    subgraph Fix - RBAC
        REQ2[Request] --> AUTHZ[Check: does user<br/>own or have role<br/>for this resource?]
        AUTHZ -->|Yes| ALLOW[Allow]
        AUTHZ -->|No| DENY[403 Forbidden]
    end
    style LEAK fill:#f85149,color:#fff
    style ALLOW fill:#238636,color:#fff

Common Misconception

Hiding URLs or buttons in the UI prevents unauthorised access. Security through obscurity is not access control — any URL accessible to one authenticated user can be accessed directly by another, bypassing the UI entirely.

Why It Matters

Broken access control is the #1 OWASP vulnerability — it means users can access data or actions they should not. A single missing authorisation check can expose every record in your database to any authenticated user.

Common Mistakes

  • Hiding links in the UI instead of enforcing authorisation server-side — obscurity is not access control.
  • Checking authentication (are you logged in?) but not authorisation (are you allowed to do this?).
  • Using sequential IDs and assuming users will not guess other users' resource IDs (IDOR).
  • Applying access control in middleware but bypassing it in API routes or admin controllers.

Code Examples

✗ Vulnerable 
// Access control only in the UI — not enforced server-side:
router()->get('/admin/users', [AdminController::class, 'index']);
// Middleware checks role for /admin/* in the UI
// But direct API call to /api/users/export has no role check
// Attacker bypasses UI, calls API directly — full data exposure
✓ Fixed 
// RBAC check on every protected route:
public function show(int $id): Response {
    $resource = Resource::findOrFail($id);

    // Check ownership OR admin role:
    if ($resource->user_id !== auth()->id() && !auth()->user()->isAdmin()) {
        abort(403, 'Forbidden');
    }

    return response()->json($resource);
}

// Or policy-based (Laravel):
public function show(User $user, Resource $resource): bool {
    return $user->id === $resource->user_id || $user->isAdmin();
}
// Controller: $this->authorize('show', $resource);
Added 15 Mar 2026
Edited 22 Mar 2026
Views 36

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 2 pings S 1 ping S 1 ping M 2 pings T 0 pings W 2 pings T 1 ping F 0 pings S 0 pings S 0 pings M 1 ping T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Perplexity 7 Ahrefs 6 Amazonbot 6 ChatGPT 3 SEMrush 2 Unknown AI 1 Meta AI 1 Google 1 Majestic 1
Also referenced
Privilege Escalation 35 Insecure Direct Object Reference (IDOR) 30 Mass Assignment 25 Principle of Least Privilege 23
How they use it
crawler 27 crawler_json 1
Related categories
security 4k general 1.4k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Medium
⚡ Quick Fix
Check authorisation on every request server-side: does the authenticated user own or have permission for this specific resource?
📦 Applies To
PHP 5.0+ web api
🔗 Prerequisites
🔍 Detection Hints
Route or controller action with no auth middleware or missing ownership check on resource by ID
Auto-detectable: ✗ No semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: High ✗ Manual fix Fix: High Context: File Tests: Update
CWE-284 CWE-285 CWE-862 CWE-863
✓ schema.org compliant