Broken Access Control: The Silent Killer (A01:2021)

Broken Access Control moved to the number one spot in the OWASP Top 10 2021. One common manifestation is Insecure Direct Object References (IDOR), where users can access resources belonging to others simply by changing an ID.

The Flaw: IDOR

Imagine a Node.js endpoint that retrieves user profiles:

javascript

// VULNERABLE CODE
app.get('/profile', async (req, res) => {
  const userId = req.query.id;
  // No check if logged-in user owns this ID
  const profile = await db.users.findById(userId);
  res.json(profile);
});

An attacker can simply cycle through IDs (?id=1, ?id=2) to scrape every user's data.

Enforcement Logic

We must enforce access controls at the data layer. Here is the logic flow:

The Fix

Always verify that the requester is authorized to access the specific resource:

javascript

// SECURE CODE
app.get('/profile', requireAuth, async (req, res) => {
  const targetId = req.query.id;
  
  // Check ownership
  if (req.user.id !== targetId && !req.user.isAdmin) {
    return res.status(403).json({ error: 'Access Denied' });
  }

  const profile = await db.users.findById(targetId);
  res.json(profile);
});

Broken Access Control: The Silent Killer (A01:2021) ​

The Flaw: IDOR ​

Enforcement Logic ​

The Fix ​

Broken Access Control: The Silent Killer (A01:2021)

The Flaw: IDOR

Enforcement Logic

The Fix