Overview
Broken Access Control (OWASP A01:2025) accounts for more security findings than any other category, appearing in 94% of applications tested. Three patterns dominate real-world exploitation.
Pattern 1: Insecure Direct Object Reference (IDOR)
# Attacker changes their user ID to a victim ID
GET /api/v1/users/1337/profile → 200 OK (victim data returned)
GET /api/v1/orders/9001/invoice.pdf → 200 OK (victim invoice returned)
Fix: Always enforce server-side ownership checks.
// Correct implementation (Node.js)
const doc = await Document.findOne({
id: req.params.id,
ownerId: req.user.id // enforce ownership server-side
});
if (!doc) return res.status(403).json({ error: 'Forbidden' });
Pattern 2: Path Traversal
GET /download?file=../../etc/passwd → exposes /etc/passwd
GET /download?file=....//....//etc/passwd → WAF bypass variant
Fix: Canonicalize paths and verify they resolve within the allowed base directory.
Pattern 3: JWT Algorithm Confusion
If the server accepts both RS256 and HS256, an attacker can sign a forged admin token using the server's public key as the HMAC secret.
jwt_tool.py eyJ... -X a -pk public.pem
# Forged token accepted as valid admin session
Fix: Explicitly specify the expected algorithm; never accept alg: none.
jwt.verify(token, publicKey, { algorithms: ['RS256'] })
Prevention Checklist
- Deny access by default — explicitly grant permissions
- Enforce server-side authorization on every API endpoint
- Invalidate JWT tokens server-side on logout using a blocklist
- Rate-limit API endpoints to slow IDOR enumeration
- Use UUIDs instead of sequential integers for resource identifiers