Meet Us at Gartner® Security & Risk Management Summit | 10-11 March 2025 | Grand Hyatt, Mumbai | Booth 319
Meet us at Gartner® Security & Risk Management Summit | 10-11 March 2025 | Grand Hyatt, Mumbai | Booth 319
Broken Access Control: A Hidden Threat in the Web Security
Web applications are often targets for cyber–attacks in today’s digital world. Broken Access Control is the most unnoticed threat in many critical systems, especially web applications. It occurs when standard users access resources or perform actions, they shouldn’t be able to without authorisation and authentication.
Join us in this blog to uncover the intricacies of broken access control. What it is, how it occurs, how vulnerabilities are exploited in real-world scenarios? Let’s explore these questions and illustrate the potential impact of broken access control.
What is Broken Access Control and How Does it Occur?
Broken access control vulnerability refers to a failure in an application’s ability to enforce proper restrictions on user actions. It happens when unauthorised users can access resources or perform actions that are restricted. For instance, if a standard user can access admin functionalities or data intended for privileged users without authorization and authentication, that’s a classic example of improper access control.
A Research indicates that access control failures are among the top ten security risks, with 94% of applications tested for various types of breaches related to access control.
Failing to look into improper access controls can turn catastrophic. Threat actors regularly target vulnerabilities to compromise sensitive information, which could result in financial losses, damage to reputation, and legal implications. Organisations must tackle this vulnerability in an environment where data breaches stand atop news headlines and protect their assets and avoid losing data integrity.
Here’s an example
Let’s examine the different ways a threat actor can attack a system.
Types of Broken Access Control Vulnerability
Vertical Privilege Escalation: Threat actors exploit higher privileges, such as a regular user escalating access rights and leveraging admin features without authorization.
Horizontal Privilege Escalation: Cyber attackers target other users at the same privilege level (e.g., one user accessing another user’s data).
Insecure Direct Object References (IDOR): An attacker manipulates URLs or parameters to access objects they shouldn’t have access to (e.g., changing a user ID in the URL).
Exposed APIs: Unauthorised users access sensitive data by making APIs fail to guard against authentication and authorisation adequately.
Bypass of Access Controls: Cyber attackers can skip access controls by spoofing identity, tampering with requests, replaying tokens, or using a debugger.
The example mentioned above is a classic instance of IDOR, as user B was trying to access User A’s information.
Top Incidents of Broken Access Control
In June 2021, a hacker reported obtaining the personal data of more than 700 million LinkedIn users. It has been labelled as one of the most significant data breaches in the history of LinkedIn. Profile data fields such as names, email addresses, phone numbers, and workplace details are a part of the affected information. LinkedIn advised that this information should be scraped from public profiles rather than exploited in its environments.
Norton LifeLock Stuffing Attack (2022)
Norton LifeLock has revealed hackers have breached users’ accounts of its password manager, Norton Password Manager. The breach resulted from unauthorised access to user accounts through potentially compromised email addresses and passwords. Norton LifeLock contacted affected users and asked them to activate two-step authentication, change their passwords, and monitor their accounts for suspicious activity.
Sectona’s Combined Approach Against Improper Access Management
Least Privilege Principle
- User Permissions Management: Sectona allows organisations to enforce the least privileges by providing users with only the access that they need to do their jobs and minimising exposure during a breach.
- Dynamic Access Control: The platform consistently reviews access rights based on user roles, automatically removes them when no longer required and maintains an actual least privileged environment.
- Regular Access Reviews: Sectona facilitates periodic audits of user permissions and removes excessive rights to ensure that user access is least privileged.
Zero Trust Model
- Verification of Every Access Request: Sectona enforces continuous validation of users and devices by considering every access request as critical.
- Multi-factor Authentication (MFA): Employs MFA to verify user identities continuously and ensure secure access to resources without assuming trust.
By applying the principle of least privilege and enabling the Zero Trust security model, Sectona builds a robust access control framework that reduces privileged access exposure and improves security posture by granting users only required access, validating each request, and responding with continuous threat protection. Discover how Sectona can enhance your security today-contact us!
GET SUPPORT
- © 2025 Sectona Technologies Private Limited. All rights reserved. All trademarks held by their respective owners.
GET SUPPORT
- © 2025 Sectona Technologies Private Limited. All rights reserved. All trademarks held by their respective owners.
- Privacy Policy
- Terms
- Eula
- Responsible Disclosure
GET SUPPORT
- © 2025 Sectona Technologies Private Limited. All rights reserved. All trademarks held by their respective owners.
- Privacy Policy
- Terms
- Eula
- Responsible Disclosure