In the age of rapid software development, open source, and genAI, DevOps engineers and Cybersecurity leaders are faced with a seemingly impossible task – how to proactively and efficiently manage and remediate an increasing volume of cybersecurity vulnerabilities, potential threats, and attacks.
It’s not just the sheer number of cybersecurity vulnerabilities lurking behind every corner that presents a challenge, either. It’s the massive scope of different types of vulnerabilities. Between resolving injection vulnerabilities, prioritizing cryptographic failures, and staying on top of outdated components, DevSecOps teams have their hands full.
In our recent report, 2025 State of Vulnerability Management & Remediation, broken access control is one of the most prevalent vulnerabilities teams now face. It presents a broad range of threats. Not only does it put your applications at risk of tampering, but broken access control can also put customer data in jeopardy and compromise regulatory compliance.
CISOs need to take this liability seriously. Not addressing broken access controls can open a company up to financial loss through fraudulent transactions, reputation damage in the market, and pricey legal costs. All of these risks are far more expensive to deal with than taking a proactive approach to managing broken access control by empowering, educating, and partnering with your DevOps engineers and using technology to your advantage.
In this article, we’ll explore broken access control, warning signs you may have access control issues you’re not aware of, and steps to take to fix it.
What is broken access control?
Broken access control is a critical security defect that could potentially allow unauthorized people or bad actors to perform actions within your application that they shouldn’t have the ability to do.
According to OWASP, broken access control is the top web application security risk. OWASP’s Top Ten report states, “94% of applications were tested for some form of broken access control with the average incidence rate of 3.81%, and has the most occurrences in the contributed dataset with over 318k.” This is not to be ignored.
Access control keeps the guard rails on who can perform what within your application. When this breaks down or is manipulated, it opens you up to unauthorized changes, disclosures, and modifications.
In the world of open source posture management, getting a handle on broken access control is essential. When using non-proprietary or open source code within your applications, you’re trusting that whoever wrote it didn’t leave a backdoor open to manipulate access control.
You cannot properly manage vulnerabilities without knowing who has authorized and unauthorized access to your applications. This makes broken access control a critical part of vulnerability management for any companies using open source software in their software supply chain.
Where to start: How to identify broken access control vulnerabilities
If you have no idea where to begin with assessing the state of your access controls, watch out for these three common warning signs and symptoms that access control vulnerabilities may be being exploited:
Users are accessing unauthorized data or functionality
Take a look at your access logs and pay close attention to who’s accessing what. For example, if users are accessing data they don’t have permission to or are making changes using functionalities they shouldn’t be allowed to use, you have an access control problem.
API misconfigurations leave sensitive information exposed
Web APIs are a common point of broken access control vulnerabilities. If not adequately secured, attackers can manipulate end points or input parameters, bypass access controls, and gain access to unauthorized data and functions.
Gaps in Role-based Access Control (RBAC) lead to privilege escalation
Role-based Access Control (RBAC), also known as role-based security, is a security measure that involves administrators assigning users to roles based on a pre-determined set of permissions of privileges that role should have.
When you don’t have a tight handle on role-based access control in your organization, it makes it easier for attackers to obtain unauthorized access to a low-access-level account and then escalate privileges from there.
Real-world broken access control examples
Wondering how broken access control vulnerabilities could play out in the wild? Here are some broken access control examples:
IDOR (Insecure Direct Object Reference) attacks
Insecure Direct Object References (IDOR) happens when an application exposes confidential identifiers, allowing attackers to use these identifiers to manipulate the system and get access to data.
If certain access controls for your application are managed using unique identifiers directly within a URL, this presents the perfect opportunity for bad actors. By changing a unique identifier, such as a user ID or confirmation in the URL, they may be able to bypass access controls and obtain access to another user’s information.
For example, if your customers manage their payment information using a URL similar to “https://companyname.com/account-payments?id=5436”, they could easily change 5436 to access another user’s account.
Essentially, you’ve given them the recipe to break your access controls. All they need now is a good guess.
Redirect attacks and URL manipulation may lead to phishing attacks
Some attackers are more interested in hijacking the journey of your application’s users and sending them somewhere dangerous. With redirect attacks and URL manipulation, an attacker may exploit a vulnerability within your application’s code that allows them to intercept a user and change a destination URL.
For example, an attacker may do this on a trustworthy ecommerce website, sending the user to their malicious website instead to obtain sensitive information, like payment details.
Poor session management can expose user credentials
Sessions are often managed through session tokens. Without proper session management protocols in place, these tokens can be vulnerable. Attackers can steal valid session tokens and use them to appear as an authorized user.
Example of how session tokens become exploitable:
- Using predictable session IDs with a lack of randomization
- Storing sensitive info within cookies
How to prevent broken access control exploits
In addition to fixing existing vulnerabilities within your applications, it’s important to take proactive steps to prevent broken access control exploits before they happen. After all, there’s no use filling a leaky bucket. Here are a few places to start with broken access control prevention.
Apply the Principle of Least Privilege (PoLP) and evaluate employee permissions levels
To start, what is the Principle of Least Privilege? PoLP is a key cybersecurity practice where users are given the minimum possible levels of access necessary to perform their job functions.
While this may seem harsh, PoLP is not because your team is untrustworthy. It comes down to a simple concept – minimize your attack surface. If (and when) attacks do happen, you want to have as few exploitable points as possible to limit the damage. Less accounts with unnecessary permissions levels, means less opportunity for attackers to gain access and use them to their advantage.
Consistently review and update user permissions based on employee role changes. Make it a mandatory part of promotion, role change, and offboarding processes to reassess an employee’s access controls.
Enforce strong role-based access control (RBAC)
Role-based Access Control (RBAC), helps to provide guidance on privileges that fit closely within the scope of their role and don’t include extra privileges they don’t need.
Similar to PoLP, having strict RBAC aims to greatly reduce the number of accounts with critical access, limiting exposure if a vulnerability is exploited. To implement RBAC, regularly benchmark the type of access different roles require to do their jobs to create a standard.
Best practices for mitigating broken access control risks in existing applications
Your organization likely already has its application existing out in the world, so how do you address vulnerabilities in code your team has already shipped? Here are three best practices for broken access control mitigation.
Conduct access control audits on a regular basis
Conducting regular access control audits can help you proactively identify vulnerabilities and improper access control before attackers can exploit them, prioritize the most critical access control issues, and put a plan in motion to remediate the issue.
Here are four key steps to conducting an access control audit:
- Generate a list of all known users
- Review the access control and permissions of each type of role
- Ensure user permissions match what their role requires (RBAC)
- Confirm authentication methods, like passwords and two-factor authentication, are thorough and up to date
- Evaluate how access requests are handled and privileged account status is provided
In addition to regular audits, you can deploy a tool that supports open source posture management by helping you understand the full scope of vulnerabilities across your codebase.
An automated, AI-driven platform, like ActiveState, can help you reduce your blind spots, prioritize the most critical access control vulnerabilities, and deploy changes quickly when minutes matter.
Implement CIA Triad principles for stronger access control
The CIA Triad is a well-accepted information security strategy that outlines controls and policies that help minimize threats to the reliability and safety of data.
The CIA Triad is an acronym for:
- Confidentiality: Information and data is protected from unauthorized access
- Integrity: Data is correct and complete and has not been altered or monitored by someone without authorization
- Availability: Access data when you need it
Ensuring these principles are woven into your cybersecurity strategy can help keep your organization and your customer’s data safe.
Remediate common access control misconfigurations
Unfortunately, misconfigurations in your application can leave you susceptible to access control vulnerabilities. Identifying these configurations and deploying fixes can help reduce your risk exposure. Two places to start looking are Insecure Direct Object References (IDOR) and URL parameters.
When IDOR happens, typically, attackers do this by changing part of a query string, URL, or field value. In some cases, it also allows attackers to perform unauthorized actions and changes.
Because malicious data can find its way into forms and URL parameters, keep your URL parameters secure by carefully checking all user-supplied input.
Final words on broken access control and open source posture management
Broken access control is a significant security risk. If left unaddressed, it can result in unauthorized data access, compromised customer information, and severe financial and reputational consequences. It’s essential for software-focused organizations to understand its impact and mitigate the risk.
Understanding your application’s vulnerability blast radius, the true scope of vulnerabilities across your codebase, is crucial. But, how in a world of complex applications and open source do we manage an increasing number of vulnerabilities?
Open Source Posture Management and intelligent remediation platforms, like ActiveState, help by providing unparalleled visibility into your organization’s open source landscape, so you can understand not just what’s vulnerable, but how deeply those vulnerabilities extend.
ActiveState gives you the clarity needed to identify vulnerabilities (broken access control and beyond) at their root, understand their cascading impact across your systems, and remediate vulnerabilities using our Precision Remediation Pipeline.
Take the first step towards fixing broken access control at your organization, book a demo today.
