LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the potential authorization issues (vulnerabilities)?

Most authorization flaws come down to one of two mistakes: the check is missing/skippable (forced browsing, missing function-level AC, misconfiguration), or the check trusts attacker-controlled input (insecure IDs/IDOR, untrusted role input, path traversal, LFI/RFI).

Broken Access Control sub-types: IDOR, path traversal, forced browsing, untrusted role input, missing function-level control.

* The sub-types of Broken Access Control fanning out — IDOR, path traversal, forced browsing, untrusted role input, missing function-level checks. *

# Vulnerability What it is Why it breaks auth
1 Misconfigurations Default/leftover permissions too broad Access is granted that nobody intended — e.g. a deploy ships with "allow all" still on
2 Insecure IDs (IDOR) Object referenced by a guessable ID with no ownership check Change /account/1234/account/1235 to read someone else's record
3 Forced browsing Guessing/typing a privileged URL directly /admin/users works because the page, not the request, was "protected"
4 Path traversal ../ escapes a path-based role boundary /users/../managers/salaries lands in a folder the role shouldn't reach
5 LFI/RFI User input chooses which file the server loads ?page=../../etc/passwd reads system files (or runs remote code)
6 Client-side caching Sensitive responses cached in the browser Data stays readable via the Back button after logout, on a shared PC
7 Untrusted input for auth Role/identity taken from the request Sending role=admin in the URL/form makes the user an admin
8 Missing function-level AC An endpoint simply has no check The API trusts that "the UI hid the button," so a direct call succeeds

Why these dominate: Broken Access Control was #1 in the OWASP Top 10 (2021). The checks are scattered logic, not a single library, so one forgotten endpoint is enough — and verifying them is combinatorial: every endpoint × every role × every action must be tested.

See: OWASP Authorization Cheat Sheet

Go deeper:

From Quiz: SPRG / Authorization | Updated: Jul 14, 2026