* With the exception of public resources, deny by default. Accessing API with missing access controls for POST, PUT and DELETE.Īccess control is only effective if enforced in trusted server-side code or server-less API, where the attacker cannot modify the access control check or metadata. * Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user. * CORS misconfiguration allows unauthorized API access. * Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token or a cookie or hidden field manipulated to elevate privileges, or abusing JWT invalidation. Acting as a user without being logged in, or acting as an admin when logged in as a user. * Allowing the primary key to be changed to another’s users record, permitting viewing or editing someone else’s account. * Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or simply using a custom API attack tool. Common access control vulnerabilities include: Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user.
Access control enforces policy such that users cannot act outside of their intended permissions.