Broken Access Control

Broken Access Control (BAC) is the way in which attackers bypass a web application’s access control, also known as authorization, to resources and functions, granting authorization to some users and denying it to others. Common examples of broken access control include insecure user ID’s, client-side caching, forced browsing to authenticated pages, elevation of privilege, and more. The ramifications of BAC range from viewing unauthorized content to harmful application takeover.

BAC was listed as the #1 most critical security risk to web applications in the 2021 OWASP Top Ten.

Related Terms

Application Security Posture Management

AppSec, but so much

Reclaim AppSec