Table of Contents
  • Home
  • /
  • Blog
  • /
  • Broken Access Control – The #1 Web Application Security Risk
January 29, 2024

Broken Access Control – The #1 Web Application Security Risk

Broken Access Control The 1 Web Application Security Risk

Creating secure authorization is key to protecting your web apps

Broken Access Control allows attackers to bypass authorization and gain access to accounts and permissions they shouldn’t have. This category groups many common weaknesses that enable unauthorized access to sensitive data.

Why Broken Access Control tops the list?

Broken Access Control tops the OWASP Top 10 2021 list for good reason:

  • OWASP found over 300,000 occurrences, the highest among the Top 10 risks

  • It covers 34 Common Weakness Enumerations (CWEs)

  • Over 19,000 publicly disclosed vulnerabilities (CVEs) fall under this category

  • Average exploitability score of 7.0 and impact score of 5.9 out of 10

Implementing proper access control measures is therefore critical. Let’s look at some common examples under this expansive category.

CWES Mapped34
Max Incidence Rate55.97%
Avg Incidence Rate3.81%
Avg Weighted Exploit6.92
Avg Weighted Impact5.93
Max Coverage94.55%
Max Coverage47.72%
Total Occurrences318,487
Total CVEs19,013

A01:2021 – Broken Access Control

Not implementing principle of least privilege

A prime culprit is not enforcing least privilege access. The default behavior should be to automatically deny all access, only allowing what is absolutely necessary. But failing to do so creates a massive attack surface.

A famous case is the large bank data breach where attackers realized they could access sensitive customer information by tweaking account numbers in the URL. Using scripts, they harvested data for 350,000 accounts. This weakness is categorized under CWE-639 Authorization Bypass Through User-Controlled Key.

CORS misconfigurations open sites to attacks

Another common issue is misconfiguring CORS (Cross-Origin Resource Sharing). Many apps need to access resources from other domains, and CORS enables this cross-domain access. But something as simple as a wildcard in allowed origins can let attackers spoof trusted domains.

The most dangerous CORS config allows access from [Trusted Null Origin], opening the site to anyone. Shockingly, a Shodan search reveals over 9500 sites with this vulnerability. This weakness comes under CWE-942 Permissive Cross-Domain Policy with Untrusted Domains.

CSRF – Forcing users to execute unwanted actions

Another major risk is CSRF or Cross-Site Request Forgery attacks. Here, attackers trick logged-in users into unknowingly running malicious requests using their credentials and sessions.

A common example is using hidden form fields to update a user’s email to the attacker’s, grabbing control of the account. Major sites like social media platforms, video streaming portals and banks have fallen victim to costly CSRF attacks. This weakness is marked under CWE-352 Cross-Site Request Forgery (CSRF).

We hope this post helped in learning about OWASP Top #1 application security risk Broken Access Control. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website,, and our social media page on FacebookLinkedInTwitterTelegramTumblrMedium, and Instagram and subscribe to receive updates like this.  

Rajeshwari KA

Rajeshwari KA is a Software Architect who has worked on full-stack development, Software Design, and Architecture for small and large-scale mission-critical applications in her 18 + years of experience.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription