Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

OWASP A01: Broken access control

Can the wrong person on your website see or change the wrong data?

Based on the OWASP Top 10 — 2021 edition. Check owasp.org/Top10 for the current edition.

Background

The most common web-application flaw. About whether the website properly enforces who can do what once someone's logged in. A flaw means customer A can sometimes view customer B's records by changing a URL, or that “admin” pages exist that any logged-in user can reach.

Questions to ask yourself

  • Have we tested ‘logged in as customer A, view customer B's data’?
  • Are admin URLs publicly guessable?
  • Did the same person who wrote the front-end check the back-end permissions?
  • Have we ever had a third party test this specifically?

For owners — questions to ask your developer

Questions to ask your developer

Access control is the #1 web-app flaw. None of these need you to write code — they need you to ask, commission, and decide.

  • 01“Show me the access-control matrix for our customer portal — who can see what, who can do what. If you can't produce one, that's the answer.”
  • 02“When the portal was built, did you specifically test ‘logged in as one customer, try to view another customer's data’?”
  • 03Decision: For anything that handles money or personal data, commission an external penetration test before launch and annually after.