OWASP Top Ten 2021 Category A01:2021 - Broken Access Control

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be contr...

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the...

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the...

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the und...

The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how ...

The product makes files or directories accessible to unauthorized actors, even though they should not be.

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or exe...

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but ...

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an uni...

Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows ...

During installation, installed file permissions are set to allow anyone to modify those files.

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive ...

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple d...

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that c...

The SameSite attribute for sensitive cookies is not set, or an insecure value is used.

The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.

The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request bef...

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

Weaknesses in this category are related to improper assignment or handling of permissions.

Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021.