Back to Catalog
Owasp Security
top10_2025
A01:2025 - Broken Access Control
Occurs when users can perform actions or access resources outside their intended permissions.
Intent & Description
'
🎯 Intent
Prevent unauthorized access to resources and actions. Ensure users can only access what they are authorized to.
📋 Context
Applications fail to properly enforce access controls, allowing users to act outside of their intended permissions. This includes SSRF vulnerabilities which have been consolidated into this category.
💡 Solution
Implement robust access control mechanisms. Deny by default. Enforce record-level ownership. Disable web server directory listing. Log and alert on access control failures.'
Real-world Use Case
Use to protect sensitive resources, enforce authorization boundaries, and prevent privilege escalation in web applications.
📌 TL;DR
Prevent users from acting outside their intended permissions. Deny by default, enforce ownership, and log access control failures.
Advantages
- Prevents unauthorized data access
- Reduces risk of privilege escalation
- Protects against SSRF attacks
- Enforces least privilege principle
Disadvantages
- Complex to implement correctly across all endpoints
- May require significant refactoring of legacy systems
- Testing coverage can be challenging