Broken Access Control: OWASP #1 Vulnerability Explained

Broken access control occurs when an application fails to enforce restrictions on what authenticated users are allowed to do. Users can access resources, perform actions, or view data that should be restricted to other users or roles. It is ranked #1 in the OWASP Top 10 due to its prevalence and impact.

Access control vulnerabilities span multiple CWEs: CWE-284 (Improper Access Control), CWE-639 (Authorization Bypass Through User-Controlled Key), CWE-22 (Path Traversal), and CWE-352 (CSRF). They manifest in any application that makes authorization decisions based on user-controllable input.

The core problem is that access control is a server-side enforcement concern, yet many applications rely on client-side controls (hidden UI elements, disabled buttons, or frontend route guards) that an attacker bypasses by directly calling the API. Every endpoint that serves user-specific data or performs a privileged action must independently verify the caller's authorization.

Common patterns include: accessing another user's data by modifying an ID parameter, escalating privileges by changing a role field, bypassing function-level access checks by directly calling admin API endpoints, and reading files outside the intended directory via path traversal.

Insecure Direct Object References (IDOR)

IDOR vulnerabilities (CWE-639) occur when an application exposes internal object identifiers—database IDs, file names, or record keys—and fails to verify that the requesting user is authorized to access the referenced object:

// Vulnerable: no authorization check
app.get('/api/invoices/:id', async (req, res) => {
  const invoice = await db.invoice.findById(req.params.id);
  res.json(invoice); // Any authenticated user can access any invoice
});

An attacker changes /api/invoices/1001 to /api/invoices/1002 and retrieves another user's invoice. The fix requires verifying that the authenticated user owns or has permission to access the requested resource.

Path Traversal

Path traversal (CWE-22) allows attackers to access files outside the intended directory by injecting ../ sequences into file path parameters:

// Vulnerable: user controls file path
app.get('/files', (req, res) => {
  const filePath = path.join('/uploads', req.query.name);
  res.sendFile(filePath);
});

// Attack: /files?name=../../etc/passwd

The attacker escapes the /uploads directory and reads arbitrary server files, including credentials, configuration, and source code. Path traversal applies to any operation that constructs file paths from user input—file downloads, image rendering, template loading, and log viewing.

• Facebook (2018): An access control flaw in the "View As" feature allowed attackers to steal access tokens for 50 million accounts by exploiting a combination of bugs that generated tokens for the viewed user rather than the viewer.
• Parler (2021): Sequential post IDs with no authorization checks allowed researchers to download every public and private post, including deleted content and GPS metadata, by incrementing the ID parameter.
• First American Financial (2019): An IDOR vulnerability exposed 885 million sensitive documents (Social Security numbers, bank statements) by simply modifying a document ID in the URL. No authentication was required.
• Uber (2016): Path traversal in an internal admin tool allowed attackers to access driver records and trip data.

These breaches share a common cause: the application trusted user-supplied identifiers without verifying authorization on the server side.

CodeSlick detects access control vulnerabilities across JavaScript, TypeScript, Python, Java, and Go through pattern analysis targeting the code constructs that lead to exploitation:

• Path traversal: File operations using user-controlled input without path sanitization or chroot enforcement (CWE-22)
• IDOR patterns: Database queries using request parameters as direct record lookups without ownership verification
• CORS misconfiguration: Wildcard origins, credentials with permissive origins, and reflected origin headers
• Missing CSRF protection: State-changing endpoints without anti-CSRF tokens or SameSite cookie attributes (CWE-352)

All findings include CWE classification, CVSS severity scoring, and AI-powered fix suggestions. CodeSlick integrates into pull requests via the GitHub App and into pre-commit hooks via the CLI.