loading
Loading content
loading
Broken access control covers any case where the application fails to enforce what a user is allowed to do. The user authenticates fine, but the server trusts a request it should have refused: a regular account reaches an admin endpoint, one customer reads another customer's order, a hidden parameter flips a privilege flag. The authentication worked; the authorization did not.
The category is broad because access checks live everywhere and miss easily. Common patterns include changing an object ID in a URL to view someone else's record, forcing your way to a function the UI never showed you, and trusting a role claim the client can edit. IDOR is a frequent specific case, where the app keys access on a guessable identifier without confirming ownership.
This is the kind of flaw that ranks at the top of the OWASP Top Ten, and it hits API security hardest because APIs expose object references and actions directly to clients. Attackers also combine it with CSRF to trigger privileged actions through a victim's session.
In a Trickest workflow, you enumerate endpoints and object IDs from crawling, then replay requests across different roles and tokens to flag any response that returns data the caller should never see.
Related terms