OWASP TOP 10 / A01:2021

Broken Access Control

Failures that let users act outside their intended permissions — viewing, modifying, or deleting data they shouldn’t.

Broken access control moved to #1 in 2021 as the most common serious web risk. It includes insecure direct object references (IDOR), missing function-level checks, privilege escalation, and CORS misconfiguration.

Attackers simply change an ID, URL, or token to reach other users’ data or admin functions. Enforce access decisions server-side, deny by default, and never trust client-supplied identifiers.

How to prevent it

Deny by default, enforce checks server-side on every request, use indirect object references, and log access-control failures.

Mapped weaknesses (CWE)

CWE-200 Exposure of Sensitive Information CWE-201 CWE-352 Cross-Site Request Forgery (CSRF) CWE-639 Authorization Bypass Through User-Controlled Key (IDOR) CWE-862 Missing Authorization CWE-863 Incorrect Authorization CWE-22 Path Traversal CWE-285 Improper Authorization CWE-668 Exposure of Resource to Wrong Sphere

Free tools to test for it

JWT Decoder → HTTP Headers →

Part of the OWASP Top 10 reference. See also the CWE weaknesses and Web Security hub.

Broken Access Control

Mapped weaknesses (CWE)

Free tools to test for it

Related terms