A01:2025 - Broken Access Control

Broken Access Control remains the number-one risk in the OWASP Top 10 for 2025, holding its position from the 2021 edition. With 94% of applications exhibiting some form of broken access control during testing, it is the most widespread vulnerability category. In 2025, Server-Side Request Forgery (SSRF), previously A10:2021, was merged into this category, reflecting that SSRF is fundamentally an access control failure on the server side.

Overview

Access control enforces policies so that users cannot act outside their intended permissions. When these controls fail, attackers can view or modify other users' data, escalate privileges, or force the server to make requests on their behalf. The 2025 update broadens this category by absorbing SSRF, recognizing that unvalidated server-side requests are a form of broken access control at the network layer. Radar's static analysis engine identifies these patterns early in the development cycle, before they reach production.

What Radar Detects

• Missing authorization checks on controllers and API endpoints. Handlers that authenticate the user but never verify whether that user is authorized to perform the requested action or access the requested resource.

• Insecure Direct Object References (IDOR). User-supplied identifiers (IDs, filenames, keys) passed directly to data lookups without ownership or permission verification, allowing attackers to access other users' records.

• CORS misconfiguration. Overly permissive cross-origin headers such as Access-Control-Allow-Origin: * combined with Access-Control-Allow-Credentials: true, enabling unauthorized cross-origin requests that carry session cookies.

• Forced browsing. Sensitive resources (admin panels, configuration files, backup archives) that are accessible by direct URL without any authentication or authorization gate.

• Privilege escalation paths. Code paths where standard user roles can reach administrative functionality due to missing role checks or flawed role hierarchy validation.

• Missing function-level access control. Endpoints that verify a user is logged in but fail to check whether the user holds the correct role or permission for the specific operation.

• Cross-Site Request Forgery (CSRF). State-changing operations (account updates, transfers, deletions) that lack anti-forgery tokens, allowing attackers to submit forged requests on behalf of authenticated users.

• Server-Side Request Forgery (SSRF). Unvalidated URLs in server-side HTTP requests, including access to cloud metadata endpoints (169.254.169.254), internal services, and URL scheme exploitation (file://, gopher://, dict://).

Related CWEs

CWE-862 (Missing Authorization), CWE-863 (Incorrect Authorization), CWE-639 (Authorization Bypass Through User-Controlled Key), CWE-352 (Cross-Site Request Forgery), CWE-918 (Server-Side Request Forgery).

See the CWE Reference for details.

Prevention

• Implement a centralized access control mechanism and reuse it consistently across the entire application rather than scattering authorization logic in individual handlers.
• Adopt a deny-by-default policy: reject all access unless an explicit rule grants permission.
• Enforce record-level ownership checks so that users can only access data that belongs to them.
• Disable web server directory listing and ensure that file metadata and backups are not served from the web root.
• Log access control failures and alert administrators when repeated violations suggest an active attack.
• Rate-limit API access to reduce the impact of automated exploitation of missing access controls.
• For SSRF prevention, validate all user-supplied URLs against a strict allowlist of permitted domains and protocols.
• Block server-side requests to private and link-local IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16).
• Invalidate server-side session tokens on logout and enforce short session expiry times.

Next Steps