# Broken Access Control (A01:2021)

Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of data.

## Overview

Moving up from #5, 94% of applications were tested for some form of broken access control. The 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other category.

## How Attackers Exploit This

### Parameter tampering

An attacker modifies URL parameters or hidden form fields to access unauthorized resources. For example, changing an account number in a URL to view another user's data.

**Detection signal:** Requests with sequential IDs being tested, or parameters being modified in unexpected ways

### Forced browsing

An attacker accesses pages that should require authentication by directly entering the URL, bypassing the intended navigation flow.

**Detection signal:** Direct requests to admin or privileged URLs without proper session tokens

### Privilege escalation

A standard user gains access to admin functionality by manipulating their role or permissions data.

**Detection signal:** Role parameters being modified in requests, or admin endpoints accessed by non-admin sessions

## How to Prevent

- Except for public resources, deny by default
- Implement access control mechanisms once and reuse throughout the application
- Model access controls should enforce record ownership
- Disable web server directory listing and ensure metadata files are not present
- Log access control failures and alert admins when appropriate
- Rate limit API and controller access to minimize automated attack tooling
- Invalidate stateful session identifiers on logout

## CWEs with Detection Rules (12)

- **CWE-200**: Exposure of Sensitive Information to an Unauthorized Actor (14 rules) [go, javascript, typescript, python]
- **CWE-639**: Authorization Bypass Through User-Controlled Key (8 rules) [go, javascript, typescript, python]
- **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (6 rules) [go, javascript, typescript, python]
- **CWE-284**: Improper Access Control (4 rules) [go, javascript, typescript, kubernetes, yaml, python]
- **CWE-601**: URL Redirection to Untrusted Site ('Open Redirect') (4 rules) [go, javascript, typescript, python]
- **CWE-201**: Insertion of Sensitive Information Into Sent Data (3 rules) [go, javascript, typescript, python]
- **CWE-285**: Improper Authorization (3 rules) [javascript, typescript]
- **CWE-352**: Cross-Site Request Forgery (CSRF) (3 rules) [javascript, typescript, python, go]
- **CWE-668**: Exposure of Resource to Wrong Sphere (3 rules) [yaml, typescript]
- **CWE-862**: Missing Authorization (3 rules) [go, javascript, typescript, python]
- **CWE-377**: Insecure Temporary File (1 rules) [python]
- **CWE-425**: Direct Request ('Forced Browsing') (1 rules) [python]

## Other Mapped CWEs (22)

- CWE-23: CWE-23
- CWE-35: CWE-35
- CWE-59: CWE-59
- CWE-219: CWE-219
- CWE-264: CWE-264
- CWE-275: CWE-275
- CWE-276: CWE-276
- CWE-359: CWE-359
- CWE-402: CWE-402
- CWE-441: CWE-441
- CWE-497: CWE-497
- CWE-538: CWE-538
- CWE-540: CWE-540
- CWE-548: CWE-548
- CWE-552: CWE-552
- CWE-566: CWE-566
- CWE-651: CWE-651
- CWE-706: CWE-706
- CWE-863: Incorrect Authorization
- CWE-913: CWE-913
- CWE-922: CWE-922
- CWE-1275: CWE-1275

## Quick Reference

- Total CWEs: 34
- With Shoulder rules: 12
- Detection rules: 53
- Critical rules: 13