# Broken Access Control (A01:2025)

Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of data. Now includes SSRF.

## Overview

Maintains its position at #1 as the most critical web application security risk. 3.73% of applications tested had one or more of the 40 CWEs mapped to this category. Server-Side Request Forgery (SSRF) has been consolidated into this category, reflecting the impact SSRF has on access controls.

## How Attackers Exploit This

### Parameter tampering

An attacker modifies URL parameters or hidden form fields to access unauthorized resources. For example, changing an account number in a URL to view another user's data.

**Detection signal:** Requests with sequential IDs being tested, or parameters being modified in unexpected ways

### Forced browsing

An attacker accesses pages that should require authentication by directly entering the URL, bypassing the intended navigation flow.

**Detection signal:** Direct requests to admin or privileged URLs without proper session tokens

### Server-Side Request Forgery (SSRF)

The server is manipulated to make requests to internal services or cloud metadata endpoints, bypassing network access controls.

**Detection signal:** Requests to internal IP ranges, localhost, or cloud metadata endpoints (169.254.169.254)

## How to Prevent

- Except for public resources, deny by default
- Implement access control mechanisms once and reuse throughout the application
- Model access controls should enforce record ownership
- Disable web server directory listing and ensure metadata files are not present
- Log access control failures and alert admins when appropriate
- Rate limit API and controller access to minimize automated attack tooling
- Invalidate stateful session identifiers on logout
- Validate and sanitize user-supplied URLs before server-side requests

## CWEs with Detection Rules (13)

- **CWE-200**: Exposure of Sensitive Information to an Unauthorized Actor (14 rules) [go, javascript, typescript, python]
- **CWE-639**: Authorization Bypass Through User-Controlled Key (8 rules) [go, javascript, typescript, python]
- **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (6 rules) [go, javascript, typescript, python]
- **CWE-284**: Improper Access Control (4 rules) [go, javascript, typescript, kubernetes, yaml, python]
- **CWE-601**: URL Redirection to Untrusted Site ('Open Redirect') (4 rules) [go, javascript, typescript, python]
- **CWE-918**: Server-Side Request Forgery (SSRF) (4 rules) [go, javascript, typescript, python]
- **CWE-201**: Insertion of Sensitive Information Into Sent Data (3 rules) [go, javascript, typescript, python]
- **CWE-285**: Improper Authorization (3 rules) [javascript, typescript]
- **CWE-352**: Cross-Site Request Forgery (CSRF) (3 rules) [javascript, typescript, python, go]
- **CWE-668**: Exposure of Resource to Wrong Sphere (3 rules) [yaml, typescript]
- **CWE-862**: Missing Authorization (3 rules) [go, javascript, typescript, python]
- **CWE-377**: Insecure Temporary File (1 rules) [python]
- **CWE-425**: Direct Request ('Forced Browsing') (1 rules) [python]

## Other Mapped CWEs (22)

- CWE-23: CWE-23
- CWE-35: CWE-35
- CWE-59: CWE-59
- CWE-219: CWE-219
- CWE-264: CWE-264
- CWE-275: CWE-275
- CWE-276: CWE-276
- CWE-359: CWE-359
- CWE-402: CWE-402
- CWE-441: CWE-441
- CWE-497: CWE-497
- CWE-538: CWE-538
- CWE-540: CWE-540
- CWE-548: CWE-548
- CWE-552: CWE-552
- CWE-566: CWE-566
- CWE-651: CWE-651
- CWE-706: CWE-706
- CWE-863: Incorrect Authorization
- CWE-913: CWE-913
- CWE-922: CWE-922
- CWE-1275: CWE-1275

## Quick Reference

- Total CWEs: 35
- With Shoulder rules: 13
- Detection rules: 57
- Critical rules: 13