Real-World Impact and Examples

The 2019 Capital One breach, affecting over 100 million customers, stemmed partly from broken access controls. A misconfigured web application firewall allowed an attacker to access AWS credentials and eventually exfiltrate massive amounts of data. Similarly, many social media scandals involve access control failures where private messages or photos become accessible through manipulated URLs or API calls.

These breaches illustrate why access control deserves top billing in the OWASP list. Unlike some vulnerabilities that require sophisticated techniques to exploit, access control failures often succumb to simple manual testing. Attackers don't need advanced tools or deep technical knowledge—just persistence and creativity in trying different parameter values or API endpoints.