# Broken Access Control

The security risk Broken Access Control describes the incorrect or missing restrictions of specific groups of users to access certain resources.

A01:2021

# Background

# Context

Often used types of access control systems are:

  • Attribute Based Access Control
  • Role Based Access Control
  • Decentralized Approaches
    • OpenID connect
    • OAuth

# Problems

  • If incorrectly defined, users can access resources that they are not be allowed to
  • Depending on the system admin functionalities can be exploited or premium functions can be used for free

# Solutions

# Technology

Different libraries exist, which help developers to define roles or attributes, add certain rights to these groups and methods to verify if a user has to required rights to view a ressource.

DANGER

The developers themselves have to firstly define which resources need to be restricted and who can access them. Since this is a rather individual task no generic solution to create a secure access control system exists.

Last Updated: 7/3/2022, 3:51:46 PM