Common Access Control Failures

The most straightforward access control failure occurs through direct object references, where applications expose internal identifiers in URLs or parameters. For instance, if your bank statement URL looks like "bank.com/statement?account=12345," an attacker might try changing it to "account=12346" to access someone else's statement. While this seems obvious, you'd be surprised how many applications still make this mistake, especially in internal tools or rapidly developed features.

Another common pattern involves privilege escalation, where regular users find ways to perform administrative actions. This might happen when applications only check permissions on the client side, trusting that users won't tamper with the interface. For example, hiding an "Delete All Users" button using JavaScript doesn't prevent attackers from directly calling the underlying API endpoint. Real-world breaches have occurred when employees discovered they could approve their own expense reports or modify their salaries by manipulating requests.