JESS' SECURITY QUEST
OWASP TOP 10 View Guide

Broken Access Control Challenges

OWASP A01:2021 - Broken Access Control
Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of data.
Beginner IDOR (Insecure Direct Object Reference)

Access other users' data by manipulating object references (IDs) in requests. Learn how missing authorization checks lead to data exposure.

  • Points: 100
  • Estimated Time: 15 minutes
  • Skills: Parameter manipulation, enumeration
Start Challenge
Easy Privilege Escalation

Escalate from a regular user to admin by exploiting missing server-side authorization checks and parameter tampering.

  • Points: 150
  • Estimated Time: 20 minutes
  • Skills: Role manipulation, API tampering
Start Challenge
Medium Path Traversal

Break out of restricted directories by using path traversal sequences to access sensitive system files.

  • Points: 200
  • Estimated Time: 25 minutes
  • Skills: Directory traversal, file system navigation
Start Challenge

Learning Resources

Types of Access Control Vulnerabilities
  • IDOR: Accessing objects by manipulating identifiers (IDs, filenames, etc.)
  • Vertical Privilege Escalation: Gaining higher privileges (user to admin)
  • Horizontal Privilege Escalation: Accessing other users' data at same privilege level
  • Path Traversal: Accessing files outside intended directories
  • Missing Function Level Access Control: Accessing admin functions without authorization
Common Attack Patterns
  • Modifying URL parameters: /api/users/123/api/users/124
  • Changing hidden form fields or cookies
  • Manipulating JWT claims or session data
  • Using ../ sequences to traverse directories
  • Accessing admin endpoints directly
Prevention Techniques
  • Deny by Default: Require explicit authorization for each resource
  • Server-Side Validation: Never trust client-side access controls
  • Use Indirect References: Map user-specific IDs to internal references
  • Implement RBAC/ABAC: Role or attribute-based access control
  • Log Access Attempts: Monitor and alert on suspicious patterns
External Resources
An error has occurred. This application may no longer respond until reloaded. Reload Dismiss