Skip to content

How to Fix Broken Access Control Vulnerabilities

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about How to Fix Broken Access Control Vulnerabilities. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Broken access control vulnerabilities occur when applications fail to properly restrict user access to resources or functions. Users can view admin pages, modify other users' data, or perform privileged operations without authorization.

Quick Fix

Wrong

// Admin panel accessible without role check
app.get("/admin/users", [](Request& req, Response& res) {
    auto users = db.query("SELECT * FROM users");
    res.json(users);
});

Any authenticated user can access the admin panel by navigating to /admin/users.

app.get("/admin/users", requireRole("admin"),
    [](Request& req, Response& res) {
        auto users = db.query("SELECT * FROM users");
        res.json(users);
    });

Fix with middleware

auto requireRole = [](const std::string& role) {
    return [role](Request& req, Response& res, Next& next) {
        if (req.session.role != role && role != "any") {
            res.status(403).send("Forbidden");
            return;
        }
        next();
    };
};

Fix for vertical access control

// Check role hierarchy
if (!userHasPrivilege(req.session, "user:delete")) {
    res.status(403).send("Insufficient privileges");
    return;
}

Fix for horizontal access control

app.get("/api/order/:id", [](Request& req, Response& res) {
    int orderId = std::stoi(req.param("id"));
    int userId = req.session.userId;
    auto order = db.query(
        "SELECT * FROM orders WHERE id = ? AND user_id = ?",
        orderId, userId);
    if (order.empty()) {
        res.status(404).send("Not found");
        return;
    }
    res.json(order);
});

Prevention

  • Enforce access control checks on every request, not just UI hiding.
  • Use role-based (RBAC) or attribute-based (ABAC) access control.
  • Deny by default: reject access unless explicitly permitted.
  • Implement access control in middleware, not in individual handlers.
  • Test access control with automated scanning for each role.

DodaTech Tools

Doda Browser's access control tester enumerates endpoints for each role and detects privilege escalation paths. DodaZIP archives RBAC/ABAC policies for audits. Durga Antivirus Pro detects unauthorized access attempts.

Common Mistakes with access control

  1. Using foldl instead of foldl' causing stack overflow on large lists
  2. Forgetting deriving (Show, Eq) on custom data types needed for debugging
  3. Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable

These mistakes appear frequently in real-world BROKEN code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

What is the difference between vertical and horizontal access control?

Vertical access control restricts which roles can access which functions (admin vs user). Horizontal access control restricts which data a user can access within the same role (user A cannot access user B's data).

What is a privilege escalation vulnerability?

Privilege escalation occurs when a user gains access to resources or functions that their role should not permit. Vertical escalation: user becomes admin. Horizontal escalation: user accesses another user's data.

How do I implement access control in a REST API?

Use middleware that extracts the user's role and checks against endpoint permissions. Use a permission matrix: POST /api/orders requires order:create, GET /api/admin/users requires admin role.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro