InfoSec

Understanding Access Control

Access control is a security practice that regulates who or what can view or use resources in a computing environment. It is a fundamental component of security that enforces authorization after an entity's identity is verified through authentication.

The core components of access control are:
Identification: A user or system claiming an identity (e.g., providing a username).
Authentication: Verifying the claimed identity (e.g., using a password, token, or biometric data).
Authorization: Determining what the authenticated entity is permitted to do or access (the actual access control decision).
Accountability (or Audit): Tracking access requests and actions to ensure compliance and detect anomalies.

Access Control Models (How Permissions Are Assigned)

These are the most common models used in modern computing systems to enforce authorization and determine what an authenticated user can do.

Model	Mechanism	Key Feature	Best For
Discretionary Access Control (DAC)	Access is determined by the owner of the resource (e.g., the person who created a file). The owner can grant or revoke access to other users at their discretion.	Highly flexible but least restrictive and prone to errors.	Small environments, individual files in typical OS (like Windows/Linux).
Mandatory Access Control (MAC)	Access is granted based on security labels (clearance/classification) assigned by a central authority, not the owner. Users cannot change permissions.	Extremely strict and centralized. Enforces non-discretionary policies.	High-security, military, or government environments.
Role-Based Access Control (RBAC)	Access is based on the user's role within the organization (e.g., "HR Manager," "Engineer"). Permissions are tied to the role, and users inherit them when assigned a role.	Highly scalable and streamlines administration. Follows the Principle of Least Privilege well.	Medium-to-large corporate or enterprise environments.
Attribute-Based Access Control (ABAC)	Access is determined by evaluating a set of attributes (characteristics) about the user, the resource, and the environment (e.g., user is "Manager" AND resource is "Confidential" AND time is "Business Hours").	Most granular and dynamic control, creating context-aware policies.	Complex, modern environments (cloud, mobile) requiring fine-grained, dynamic access.

Real-World Broken Access Control Exploits

Real-world broken access control exploits often look deceptively simple: a changed ID in a URL, a missing role check on an API, or an “admin” endpoint that never verifies who is calling it.

IDOR and URL manipulation

Many incidents come from insecure direct object references (IDOR), where changing an identifier in a URL or parameter returns someone else’s data because the backend never checks ownership. For example, customer payment or document URLs with ?id=5436 could be edited to ?id=5437 to view another user’s records, as seen in real leaks where millions of financial or mortgage documents were exposed by sequential ID access.

Broken access in high-profile breaches

Several large breaches have been tied to missing or weak authorization on powerful back-end functions. Attackers in the MOVEit incident leveraged flawed access controls and SQL-level issues to run unauthorized queries and download sensitive files for thousands of organizations using the managed file-transfer platform. Similarly, the USPS “Informed Delivery” issue allowed logged-in users to enumerate and modify other users’ data via an API that accepted any customer ID without verifying that it belonged to the caller.

Privilege escalation and admin takeover

Broken access control is also exploited to turn a normal account into an admin. In some real cases, attackers found endpoints or parameters that directly set permission levels (for example, changing a role or isAdmin flag) or accessed admin-only URLs that lacked robust server-side checks. Once privileges were escalated, they could manage other users, extract entire databases, or disable security controls, which is why broken access control remains OWASP’s top-ranked web risk.

Progression from Same-Level to Higher-Level Privilege Abuse

Privilege abuse often starts with “same-level” horizontal access control bugs and then escalates into full admin or system compromise once a higher-privileged account is reached.

From horizontal to vertical escalation

Horizontal privilege abuse happens when a user at one level can act as another user with the same nominal role, such as viewing or modifying another customer’s data by changing an ID in a URL or request body. If that flaw can target more privileged identities (for example, staff or admin accounts), compromising one of those accounts turns the attack into vertical privilege escalation, granting access to powerful functions and sensitive data.

Example progression in practice

Consider an app where users can reset each other’s passwords by changing a user_id parameter in a password-reset API because the server never checks ownership. At first, an attacker might reset another regular user’s password (horizontal abuse), but by iterating IDs and targeting an administrator’s account, they eventually gain admin credentials, unlock admin dashboards, adjust roles, or export entire datasets (vertical abuse).

Why this pattern is dangerous

This progression is common because developers sometimes focus on protecting “admin URLs” while overlooking how regular-users can influence higher-privileged accounts through indirect features like invitations, password reset, or profile linking. Once attackers chain these paths, what started as “just” access to another same-level account can rapidly become organization-wide compromise, reinforcing why both horizontal and vertical access controls must be enforced consistently on every sensitive operation.

Access Control Weaknesses in Multi-Step Workflows

Access control weaknesses in multi-step workflows appear when only some steps in a process enforce authorization, letting attackers jump straight to powerful actions without passing earlier checks.

Skipping protected steps

Many apps implement sensitive actions (like changing user details, approving payments, or upgrading roles) as a series of HTTP requests: load form → submit changes → confirm. If the first request is properly restricted but the final “confirm” request has no server-side access check, an attacker can capture that last request pattern and call it directly with modified parameters, performing the action without ever visiting the earlier, protected steps.

Example: role-change or account-modification flows

A common pattern is an admin-only workflow for changing a user’s role that sends one request to select the user and a second request to confirm the promotion. If access control is only enforced on the selection step, a regular user who learns the confirm-request format (for example from logs or a prior admin session) can replay or craft that confirm request directly and upgrade their own account to admin, completely bypassing the intended approval flow.

Why workflows are fragile

Developers often assume that users reach step N only by following steps 1 to N−1, forgetting that attackers can send any HTTP request in any order. In complex financial or configuration workflows, this leads to issues like executing state-changing endpoints without fresh authorization, double-spending or duplicate actions when error paths aren’t protected, and privilege escalation when finalization steps trust client-provided IDs or roles instead of revalidating them server-side.

Strategies to Mitigate Access Control Flaws

Mitigating access control flaws means enforcing “who can do what” in a consistent, deny‑by‑default way across every endpoint and workflow, not just at the UI.

Design for least privilege and deny-by-default

Define roles, resources, and allowed actions in an access control matrix, then implement a policy where everything is denied unless explicitly permitted. Apply the principle of least privilege with RBAC or ABAC so each user, token, or service gets only the minimum permissions needed, and regularly review roles to prevent privilege creep.

Enforce server-side checks on every request

Never rely on client-side controls, hidden fields, or “security by URL naming”; all authorization decisions must be enforced in server-side logic or a trusted gateway. Centralize authorization middleware and validate object-level and function-level permissions on every request, including AJAX and background calls, so a single missed endpoint cannot be used for escalation.

Secure sessions, authentication, and workflows

Strong authentication (with MFA where appropriate), secure session management, and proper logout/timeouts reduce the chance that attackers reuse valid sessions to bypass checks. For multi-step transactions, follow OWASP’s transaction authorization guidance: require steps in order, bind authorization to the exact data being confirmed, and ensure the final “execute” step revalidates identity and permissions instead of trusting earlier state.

Testing, auditing, and monitoring

Integrate access-control-focused tests (negative tests like cross-user and cross-tenant access) into unit, integration, and end-to-end testing. Run regular code reviews, penetration tests, and automated scans specifically targeting broken access scenarios, and monitor logs for repeated access denials, unusual role changes, or forced browsing that may indicate attempted or successful bypasses.