# 1. Broken Access Control

## What is Broken Access Control?

{% hint style="info" %}
Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.
{% endhint %}

## **Scenario 1**

The application uses unverified data in a SQL call that is accessing account information:

```
 pstmt.setString(1, request.getParameter("acct"));
 ResultSet results = pstmt.executeQuery( );
```

An attacker simply modifies the browser's 'acct' parameter to send whatever account number they want. If not correctly verified, the attacker can access any user's account.

```
 https://example.com/app/accountInfo?acct=notmyacct
```

## **Scenario 2**

An attacker simply forces browses to target URLs. Admin rights are required for access to the admin page.

```
 https://example.com/app/getappInfo
 https://example.com/app/admin_getappInfo
```

If an unauthenticated user can access either page, it's a flaw. If a non-admin can access the admin page, this is a flaw.

## Reference

{% embed url="<https://owasp.org/Top10/A01_2021-Broken_Access_Control>" %}
A01 Broken Access Control - OWASP
{% endembed %}