|Portswigger Academy Access control vulnerabilities Labs|
Access control (or authorisation) is the application of constraints on whom (or what) can perform attempted actions or access resources that they have requested. In the context of web applications, access control is dependent on authentication and session management:
Authentication identifies the user and confirms that they are who they say they are.
Session management identifies which subsequent HTTP requests are being made by that same user.
Access control determines whether the user is allowed to carry out the action that they are attempting to perform.
Broken access controls are a commonly encountered and often critical security vulnerability. Design and management of access controls is a complex and dynamic problem that applies business, organisational, and legal constraints to a technical implementation. Access control design decisions have to be made by humans, not technology, and the potential for errors is high.
User ID controlled by request parameter, with unpredictable user IDs
User ID controlled by request parameter with data leakage in redirect
User ID controlled by request parameter with password disclosure