Broken Access Control, listed as A05 in the OWASP Top 10 for 2017, occurs when applications fail to enforce restrictions on what authenticated users are allowed to do. This can allow users to access data or functions outside their intended permissions, such as viewing other users’ information, modifying records, or performing admin-level actions. These flaws are often caused by missing or inconsistent access checks on the server. To prevent them, enforce role-based access rules, deny access by default, and validate permissions server-side for every request, not just in the user interface.
