保護DataHogo
Security Encyclopedia/OWASP Web Top 10
highCWE-284A01:2021

Broken Access Control

Users can act outside their intended permissions, accessing other users' data or admin functionality without proper authorization checks.

How It Works

Broken access control happens when an application fails to enforce restrictions on what authenticated users can do. An attacker can modify the URL, API request, or internal state to access unauthorized resources. For example, changing /api/users/123 to /api/users/456 to view another user's profile. This is known as an Insecure Direct Object Reference (IDOR). The server trusts the user-supplied ID without verifying ownership.

Vulnerable Code
app.get('/api/users/:id', async (req, res) => {
  const user = await db.users.findById(req.params.id);
  res.json(user);
});
Secure Code
app.get('/api/users/:id', async (req, res) => {
  const user = await db.users.findById(req.params.id);
  if (!user || user.id !== req.auth.userId) {
    return res.status(403).json({ error: 'Forbidden' });
  }
  res.json(user);
});

Real-World Example

In 2019, First American Financial exposed 885 million records through an IDOR vulnerability. Changing a single number in the URL allowed access to any customer's mortgage documents, Social Security numbers, and bank details.

How to Prevent It

  • Always verify resource ownership on the server side
  • Use session-based user IDs instead of client-supplied IDs
  • Implement role-based access control (RBAC)
  • Deny access by default — require explicit grants

Affected Technologies

Node.jsReactNext.jsPythonGoJavaPHPC#

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Cryptographic Failures

high

Sensitive data is exposed due to weak or missing encryption — using outdated algorithms like MD5/SHA1, storing passwords in plaintext, or transmitting data without TLS.

CWE-327A02:2021

Supply Chain Failures

medium

Your application inherits vulnerabilities from third-party dependencies — outdated packages with known CVEs that attackers actively exploit.

CWE-1395A06:2021

Security Misconfiguration

medium

Default configurations, open CORS policies, debug mode in production, or verbose error messages expose your application to attackers.

CWE-16A05:2021

Injection (SQL, NoSQL, Command)

critical

Attacker inserts malicious code into queries or commands by exploiting unsanitized user input — SQL injection, NoSQL injection, and OS command injection.

CWE-89A03:2021