OWASP Top10 Application Security Risk

Never leave this tip while you hunting Broken Access Control

A special Bug-Bounty tip for Bug hunters and Pen-testers

2 min readNov 12, 2021


If you already know about Broken Access Control weakness. Please skip explanation and go to the “Observation” section.

What is Broken Access Control

Broken Access Control is a type of weakness in the software program or application. If the system gives unauthorized access to a low privileged user then we can say that the system had a Broken Access Control weakness.

Broken Access Control secureITmania

Broken access controls are a commonly tends to High/critical security vulnerability. Design and management of access controls is a complex and dynamic problem that applies business, organizational, and legal constraints to a technical implementation.

Access Controls are sub-divided into 2 categories
1. Vertical Access Controls
2. Horizontal Access Controls

Issue Observation:

We will assume that the target host name is REDACTED. The figures during the post just for demonstrations, might not relevant to REDACTED domain.

I found a website and it has the signup feature to register an account. I created two accounts and start exploring the web application features for hunting the access control issues. I analyzed the “My Profile” request and observed the below API endpoint.

GET /v1/account/3/user/{userId} HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik1rTkNOME0zTXpjek9VUXhOVE5DUVRrd01VRkJSa1EzT0RNNVFqSTBOREUzUlRreE0wTTRdNUSJ9........
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

To verify the access controls I have changed the “userId” value with the another account “userId”. But the application is validating the “userId” value at server side and does not allow to retrieve the…