What is broken access control?

Broken access control (OWASP #1 in 2021) occurs when users can act outside their intended permissions — accessing data or functionality they should not be able to. Examples: (1) IDOR (Insecure Direct Object Reference): changing /api/orders/123 to /api/orders/124 and seeing another user's order. (2) Privilege escalation: a regular user accessing admin endpoints. (3) Forced browsing: directly accessing URLs that should be restricted (e.g., /admin/dashboard). (4) Path traversal: ../../../etc/passwd. Prevention: (1) Deny access by default — whitelist specific permissions. (2) Server-side enforcement of access rules (never trust client-side). (3) Log access control failures. (4) Rate limit API endpoints. (5) Invalidate tokens on logout. (6) Test access control in all scenarios including authenticated-as-different-user.