Imagine a hospital. The hospital has different areas for different people. Patients can only go to their own ward and the waiting room. Nurses can access patient records and medicine storage. Doctors can access everything nurses can, plus surgery rooms. The CEO can access administrative offices. Security guards can go everywhere but cannot read patient files.
This is access control in the real world the right people get access to the right things, and nothing more.
Web applications work the same way. Every user has a role. A normal user should only see their own data. An admin should be able to manage all users. A moderator should be able to remove content.
When these rules break down or are not enforced properly that is called Broken Access Control.
This is the #1 vulnerability in OWASP Top 10 2021. It was found in 94% of all web applications tested during research. That means if you randomly pick 100 websites and test them — 94 of them will have some form of broken access control.
Why is it so common? Because developers focus on building features fast. Adding proper access checks on every single endpoint takes time and careful thought. Under deadline pressure, these checks get skipped or forgotten.
Answer the following: