Broken Access Control

Broken Access Control

A | B | C | D | E | G | I | K | L | M | N | O | P | R | S | T | W | Z

A | B | C | D | E | G | I | K | L | M | N | O | P | R | S | T | W | Z

Authentication is identifying “WHO” is accessing an application. Authorization is enforcing “WHAT” they’re allowed to do while logged in. It’s a critical distinction as broken access control allows attackers to gain access to data or functions they shouldn’t. They can view and/or modify other users’ accounts or steal data. One should look for following 

  • Modifying the URL or input parameters to bypass access control checks  
  • Allowing the request’s ID to be changed to another user’s account.  
  • Elevation of privilege. Can a user act as an admin by modifying the request?  
  • APIs with missing access controls for POST, PUT, and DELETE HTTP verbs. 
Bots
Bot Attack
Bot Management Tools
Broken Access Control