Broken Access Control
Authorization that fails to enforce who can do what.
What it is
Broken access control retains the #1 position in OWASP Top 10:2025. It covers any path by which a user performs an action they should not be authorized to perform: bypassing access checks via URL manipulation, modifying request metadata, accessing another user's resources via Insecure Direct Object Reference (IDOR), elevating privileges, or performing state changes that should require additional confirmation. Modern web frameworks ship with secure-by-default access patterns, but mis-applied or skipped checks remain the dominant root cause of disclosed breaches. The 2025 edition also explicitly includes server-side request forgery patterns under this category (which was previously its own A10:2021 entry).
Common patterns
- •IDOR: fetching a resource by a request-supplied ID without verifying the authenticated user owns or has rights to it.
- •Skipping authorization on backend APIs because the UI does not surface a link to the action.
- •CSRF: state-changing operations that lack a token, SameSite cookie attribute, or origin check.
- •Privilege escalation through parameter tampering (role=admin in a request body).
- •Path traversal allowing read or write of files outside the intended directory.
- •SSRF: server-side fetches against user-supplied URLs without allowlist or IMDS protection.
- •CORS misconfiguration that allows credentialed requests from any origin.
CWE guides Deva ships for A01
What Deva detects
Deva detects API handlers that accept resource IDs from the request without enforcing an ownership predicate in the database query. The scanner identifies routes lacking authentication middleware on sensitive paths, missing CSRF token validation on state-changing endpoints, and path operations that do not canonicalize against a permitted root. SSRF-prone fetches and IMDS-targeted requests are flagged with allowlist-resolver fix suggestions.
Real-world breaches in this category
Capital One (100M records)
A WAF misconfiguration combined with SSRF and broken access control allowed exfiltration of credit application data for over 100 million Americans. The compromised IAM role had access to S3 buckets that should have been outside its authorization scope.
Optus (10M records)
An exposed API endpoint without authorization checks allowed enumeration of customer records by incrementing an identifier. The endpoint was not internet-facing in design but had been published on a misconfigured subdomain.
USPS Informed Visibility API
A REST API allowed any logged-in usps.com user to query mailing data for any user account by changing a parameter, exposing data for roughly 60 million users until disclosure.
Compliance impact
- ·NIST 800-53 AC-3 Access Enforcement, AC-6 Least Privilege
- ·PCI-DSS v4.0 Req 7.2 Access control system
- ·HIPAA 164.312(a)(1) Access Control
- ·CMMC 2.0 AC.L2-3.1.1, AC.L2-3.1.2
- ·GDPR Article 32 Security of processing