How to Fix Broken Access Control Vulnerabilities
In this tutorial, you'll learn about How to Fix Broken Access Control Vulnerabilities. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Broken access control vulnerabilities occur when applications fail to properly restrict user access to resources or functions. Users can view admin pages, modify other users' data, or perform privileged operations without authorization.
Quick Fix
Wrong
// Admin panel accessible without role check
app.get("/admin/users", [](Request& req, Response& res) {
auto users = db.query("SELECT * FROM users");
res.json(users);
});
Any authenticated user can access the admin panel by navigating to /admin/users.
Right
app.get("/admin/users", requireRole("admin"),
[](Request& req, Response& res) {
auto users = db.query("SELECT * FROM users");
res.json(users);
});
Fix with middleware
auto requireRole = [](const std::string& role) {
return [role](Request& req, Response& res, Next& next) {
if (req.session.role != role && role != "any") {
res.status(403).send("Forbidden");
return;
}
next();
};
};
Fix for vertical access control
// Check role hierarchy
if (!userHasPrivilege(req.session, "user:delete")) {
res.status(403).send("Insufficient privileges");
return;
}
Fix for horizontal access control
app.get("/api/order/:id", [](Request& req, Response& res) {
int orderId = std::stoi(req.param("id"));
int userId = req.session.userId;
auto order = db.query(
"SELECT * FROM orders WHERE id = ? AND user_id = ?",
orderId, userId);
if (order.empty()) {
res.status(404).send("Not found");
return;
}
res.json(order);
});
Prevention
- Enforce access control checks on every request, not just UI hiding.
- Use role-based (RBAC) or attribute-based (ABAC) access control.
- Deny by default: reject access unless explicitly permitted.
- Implement access control in middleware, not in individual handlers.
- Test access control with automated scanning for each role.
DodaTech Tools
Doda Browser's access control tester enumerates endpoints for each role and detects privilege escalation paths. DodaZIP archives RBAC/ABAC policies for audits. Durga Antivirus Pro detects unauthorized access attempts.
Common Mistakes with access control
- Using
foldlinstead offoldl'causing stack overflow on large lists - Forgetting
deriving (Show, Eq)on custom data types needed for debugging - Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable
These mistakes appear frequently in real-world BROKEN code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.
Practice Exercise
Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.
This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro