Access control is the application of constraints on who or what is authorized to perform actions or access resources. While authentication confirms who a user is, and session management tracks which requests belong to that user, access control determines whether the user is allowed to carry out the action they're attempting.
Broken access control remains one of the most prevalent and impactful web security vulnerabilities. When these controls fail, attackers can access sensitive functionality, view other users' private data, or escalate their privileges to gain administrative control. In this comprehensive guide, we'll explore the major categories of access control vulnerabilities, how to detect them, and—most importantly—how to prevent them.
Understanding Access Control: Three Fundamental Types
Access control mechanisms fall into three primary categories, each protecting different aspects of application functionality:
🔒 Vertical Access Control
Restricts access to sensitive functionality based on user types (e.g., admin vs. regular user). Failure enables vertical privilege escalation.
👥 Horizontal Access Control
Restricts access to resources within the same user type (e.g., User A accessing User B's data). Failure enables horizontal privilege escalation.
🔄 Context-Dependent Access Control
Restricts access based on application state or user interaction flow (e.g., multi-step processes). Failure bypasses workflow controls.
Broken access control vulnerabilities exist when a user can access resources or perform actions they're not supposed to. Let's explore each category in detail.
Category 1: Vertical Privilege Escalation
Vertical privilege escalation occurs when a user gains access to functionality they're not permitted to access. For example, if a non-administrative user can access an admin page where they can delete user accounts, that's vertical privilege escalation.
Unprotected Admin Functionality
The simplest form of access control failure: administrative functions exist but have no protection whatsoever.
🚪 Direct URL Access
Administrative functions might be linked from an administrator's welcome page but not from a regular user's page. However, users can access admin functions by browsing directly to the relevant URL:
# Vulnerable Pattern https://insecure-website.com/admin https://insecure-website.com/admin/deleteUser https://insecure-website.com/administrator-panel-yb556
Exploitation: Simply navigate to common admin paths. Tools like gobuster or dirb can discover hidden admin URLs.
🔧 Security by Obscurity
Some applications conceal sensitive functionality by giving it less predictable URLs. This provides no real security:
# Obscured but accessible https://insecure-website.com/administrator-panel-yb556 https://insecure-website.com/manage-users-x7k9p # Discovery methods: # - JavaScript file analysis # - Sitemap enumeration # - Burp Suite content discovery # - Wayback Machine archives
Parameter-Based Access Control
Some applications determine the user's access rights or role at login, then store this information in a user-controllable location.
🍪 Role in Cookies
If role information is stored in cookies, attackers can modify it:
# Original cookie
Set-Cookie: role=user; path=/
# Modified by attacker
Set-Cookie: role=admin; path=/
# Python exploitation
import requests
session = requests.Session()
session.cookies.set('role', 'admin')
response = session.get('https://target.com/admin')
# Access granted if server trusts cookie value
📝 Hidden Form Fields
Roles stored in hidden HTML fields can be modified before submission:
<!-- Vulnerable HTML --> <input type="hidden" name="user_role" value="user"> # Attacker modifies in Burp Suite or browser dev tools: <input type="hidden" name="user_role" value="admin">
Platform Misconfiguration Bypasses
Some applications enforce access controls at the platform layer (web server, framework). Misconfigurations here can lead to complete bypasses.
🌐 HTTP Header Override
Some frameworks support non-standard HTTP headers that override the URL in the original request:
# Normal request (blocked) POST /home HTTP/1.1 # Access control denies /admin/deleteUser # Bypass with header POST /home HTTP/1.1 X-Original-URL: /admin/deleteUser # Server processes /admin/deleteUser instead # Alternative headers to test: X-Rewrite-URL X-Original-URL X-Forwarded-Host
📡 HTTP Method Substitution
If access controls restrict specific HTTP methods, try alternative methods:
# Original (blocked) POST /admin/deleteUser HTTP/1.1 # Try alternatives: GET /admin/deleteUser?username=victim DELETE /admin/deleteUser POSTX /admin/deleteUser # Non-standard method PUT /admin/deleteUser # Some frameworks tolerate different methods for the same action
🔤 URL Matching Discrepancies
Websites vary in how strictly they match request paths to defined endpoints:
# Case variation bypass /admin/deleteUser → /ADMIN/DELETEUSER # Trailing slash bypass /admin/deleteUser → /admin/deleteUser/ # File extension bypass (Spring framework) /admin/deleteUser → /admin/deleteUser.anything # URL encoding bypass /admin/deleteUser → /admin/%64%65%6C%65%74%65%55%73%65%72
Category 2: Horizontal Privilege Escalation
Horizontal privilege escalation occurs when a user accesses resources belonging to another user instead of their own. This is commonly seen in Insecure Direct Object References (IDOR).
Insecure Direct Object References (IDOR)
IDOR vulnerabilities occur when an application uses user-supplied input to access objects directly, and an attacker can modify the input to obtain unauthorized access.
🔢 Predictable User IDs
When user IDs are sequential or predictable, attackers can iterate through them:
# Vulnerable endpoint
GET /api/user/123/profile
# Python enumeration script
import requests
for user_id in range(1, 1000):
response = requests.get(f'https://target.com/api/user/{user_id}/profile')
if response.status_code == 200:
print(f"[+] User {user_id} data: {response.json()}")
🎯 Unpredictable IDs with Leakage
Even with GUIDs or unpredictable IDs, data leakage can occur:
# Redirect with data leakage
GET /messages/abc123-def456
# Response (302 Redirect)
Location: /login
# BUT response body contains:
{"message": "Hello victim_user", "content": "Sensitive data..."}
# Attacker receives redirect but also gets the data
🔑 Password Disclosure via IDOR
Critical IDOR variants can expose passwords or credentials:
# Vulnerable password reset GET /reset-password?user_id=123&token=abc # Attacker changes user_id: GET /reset-password?user_id=124&token=abc # If token validation doesn't match user_id, # attacker can reset other users' passwords
Category 3: Context-Dependent Access Control
Many websites implement important functions over a series of steps. Access control vulnerabilities can exist when some steps are protected but others are not.
Multi-Step Process Vulnerabilities
📋 Skipping Workflow Steps
Imagine a 3-step purchase process where steps 1 and 2 have access controls, but step 3 doesn't:
# Normal flow
POST /cart/add
POST /checkout/review
POST /checkout/complete # Should validate previous steps
# Attacker bypass:
POST /checkout/complete # Skips validation
{
"price": 0.01, # Modified price
"item_id": 123
}
Referer-Based Access Control
📍 Referer Header Validation
Some websites base access controls on the Referer header, which is trivially spoofed:
# Application checks Referer header
if request.headers['Referer'] == 'https://target.com/admin':
grant_access()
# Attacker spoofs Referer:
import requests
headers = {
'Referer': 'https://target.com/admin'
}
response = requests.post(
'https://target.com/admin/deleteUser',
headers=headers,
data={'username': 'victim'}
)
Location-Based Access Control
🌍 Geographic Restrictions
Access controls based on geographical location can be circumvented:
- • Use VPNs or proxies to appear from allowed locations
- • Manipulate client-side geolocation mechanisms
- • Modify HTTP headers that indicate location (X-Forwarded-For)
Detection Methodology
Systematic testing is essential for identifying access control vulnerabilities. Here's a structured approach:
# Access Control Testing Checklist 1. MAP THE APPLICATION - Identify all user roles (admin, user, guest, etc.) - Document all functionality accessible to each role - Map URL structures and parameters 2. TEST VERTICAL ESCALATION - Access admin URLs as regular user - Modify role parameters/cookies - Test HTTP method substitution - Try URL variation bypasses 3. TEST HORIZONTAL ESCALATION - Access other users' resources by ID manipulation - Test with predictable and unpredictable IDs - Check for data leakage in error responses - Test password reset functionality 4. TEST CONTEXT-DEPENDENT CONTROLS - Skip steps in multi-step processes - Access later steps without completing earlier ones - Modify parameters between steps 5. AUTOMATED TESTING - Burp Suite Authorize extension - OWASP ZAP Access Control testing - Custom scripts for ID enumeration
Prevention Strategies
Access control vulnerabilities can be prevented by taking a defense-in-depth approach:
Unless a resource is intended to be publicly accessible, deny access by default. Require explicit authorization for every request.
Wherever possible, use a single application-wide mechanism for enforcing access controls. Avoid scattered, inconsistent checks.
Never trust client-side access control (cookies, hidden fields, JavaScript). All authorization decisions must be made server-side.
Make it mandatory for developers to declare the access allowed for each resource. Use annotations or decorators (e.g., @PreAuthorize, @RolesAllowed).
Instead of exposing database IDs, use temporary, random tokens that map to actual resources server-side.
Each step in a workflow should validate that previous steps were completed. Store process state server-side, not in client parameters.
Hidden URLs, obscure parameter names, and security through obscurity provide no real protection. Assume attackers will discover all endpoints.
Regularly audit and test access controls to ensure they work as designed. Use both automated tools and manual penetration testing.
Real-World Impact
Access control vulnerabilities have been responsible for some of the most significant data breaches:
📊 Data Breaches
IDOR vulnerabilities allow attackers to access other users' personal data, leading to mass data exposure and privacy violations.
🔐 Account Takeovers
Vertical escalation enables attackers to gain admin access, compromising entire applications and user bases.
💰 Financial Loss
Multi-step process bypasses allow attackers to manipulate prices, quantities, or payment amounts in e-commerce applications.
⚖️ Compliance Violations
Unauthorized data access violates GDPR, HIPAA, PCI-DSS, and other regulatory requirements, resulting in fines and legal action.
Key Principle: Access control is not optional—it's fundamental. Every endpoint, every function, every data access point must have explicit authorization checks. Assume every user is an attacker until proven otherwise.
Conclusion
Access control vulnerabilities remain among the most common and dangerous web security flaws. From simple unprotected admin pages to sophisticated multi-step process bypasses, attackers continuously find ways to exploit weak or missing authorization checks.
The good news? Every vulnerability discussed here is preventable with careful design, consistent enforcement, and rigorous testing. By understanding these attack patterns and implementing layered defenses, developers can build applications that properly restrict access to sensitive functionality and data.
As you build or audit applications, remember: access control failures are often the difference between a minor security issue and a catastrophic breach. Test adversarially, validate server-side, and never assume obscurity provides protection.