A01 Broken Access Control

What this means

SiteShadow flagged a place where a user can reach data or actions they shouldn't be allowed to access (for example: another user's record, an admin-only endpoint, or a privileged operation).

Why it matters

• IDOR / data leaks: changing an ID like /invoices/123 → /invoices/124 exposes someone else's data.
• Privilege escalation: a normal user can perform admin actions (invite users, change roles, view audit logs).
• Integrity impact: attackers can edit/delete data they don't own.

Safer examples

1) Check authorization on every object access (ownership / policy)

invoice = get_invoice(invoice_id)
if invoice.user_id != current_user.id:
    raise PermissionError("Forbidden")
return invoice

2) Prefer "deny by default" route guards

app.get("/admin/audit", requireAuth, requireRole("admin"), async (req, res) => {
  res.json(await getAuditLog());
});

3) Test for "can't access others' data"

• Unit tests for policy functions (owner/admin checks).
• Integration tests that try a different user's ID and assert 403/404.

How SiteShadow detects it (high level)

• Looks for sensitive endpoints/operations (admin routes, destructive actions, data export) that lack consistent authorization checks.
• Flags direct object access (record lookup by ID from request) when a permission/ownership check is missing nearby.
• Uses framework-aware heuristics where possible (common auth middleware/decorators).

References

• OWASP Top 10: https://owasp.org/Top10/

---

← Back to Vulnerability Library