Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of data, or performing business functions outside the user's limits.
Insecure Direct Object Reference
Manipulating parameters to access unauthorized resources
Vertical & Horizontal
Gaining elevated access beyond assigned permissions
Directory Traversal
Accessing unprotected pages by guessing URLs
Cross-Origin Issues
Exploiting permissive cross-origin policies
Token Attacks
Modifying tokens to change identity or permissions
Server-Side Request Forgery
Making server fetch unauthorized internal resources
IDOR exposed 540M user records
Access control flaw exposed 57M users
API abuse leaked 4.6M usernames
Sequential IDs allowed mass data scraping
Built by an OWASP Member • Part of the OWASP Web Security Lab Series