Broken access control quietly climbed to the top of the OWASP rankings, and the position is well deserved. Every other vulnerability class involves an attacker doing something the system was never built to allow. Access control failures involve the system happily doing what it was asked, but for the wrong user. That distinction matters because the bugs hide in plain sight, look like normal traffic in the logs and frequently survive years of routine security testing.
Insecure Direct Object References Are Everywhere
Show me an application built on REST and I will show you an endpoint that accepts an identifier and returns the corresponding record. Now show me the same endpoint and tell me how it confirms the caller is allowed to see that record. The honest answer in many codebases is that nobody checked recently, or the check exists in one controller and was forgotten in three others. A skilled tester from a best pen testing company will walk through your endpoints in pairs, comparing what one user can fetch about another, and the gaps emerge quickly.
Privilege Boundaries Need Continuous Verification
Roles and permissions tend to ossify over the life of an application. Someone adds a new role, gives it sensible permissions and moves on. Two years later the same role has accumulated capabilities that nobody intended. The result is privilege creep, where ordinary users hold rights that should sit with administrators. Building access control tests into your CI pipeline is the only sustainable answer at scale.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
The most expensive access control breach I have investigated involved a single missing check on a reporting endpoint. The vulnerability had been there for years. The customer found it when a competitor downloaded their entire pricing database and undercut them on a major tender.
Why Audit Trails Matter Here
A surprising number of access control compromises only surface during audit log review weeks or months after the fact. The pattern is that the application logs the request but not the authorisation decision, which means it is impossible to distinguish legitimate access from a successful bypass after the event. Build authorisation outcomes into your application logs. Log who requested what, what decision was made and why. The storage cost is minimal. The investigative value is enormous when something does go wrong. Detection coverage for access control failures is usually weak because the requests themselves look legitimate. Investing in proper logging gives you the ability to spot exploitation patterns even when the application itself accepted the request as valid.
Horizontal And Vertical Together
There are two flavours of access control failure. Horizontal failures let a user see another user data at the same privilege level. Vertical failures let a user escalate beyond their assigned role. Most security testing finds one and misses the other. Insist on coverage of both during web application pen testing so the awkward gaps come out before they reach the press.
If your last assessment did not include a multi-user role matrix, you probably do not have the assurance you think you do. Access control is one of those areas where the principle is simple, the implementation is unglamorous and the consequences of getting it wrong are completely disproportionate to the cost of getting it right. Web application security is a discipline that rewards patient investment. The teams that treat it as ongoing work consistently outperform the ones that treat it as a project with an end date.