What are the potential authorization issues (vulnerabilities)?
Most authorization flaws come down to one of two mistakes: the check is missing/skippable (forced browsing, missing function-level AC, misconfiguration), or the check trusts attacker-controlled input (insecure IDs/IDOR, untrusted role input, path traversal, LFI/RFI).
* The sub-types of Broken Access Control fanning out — IDOR, path traversal, forced browsing, untrusted role input, missing function-level checks. *
| # | Vulnerability | What it is | Why it breaks auth |
|---|---|---|---|
| 1 | Misconfigurations | Default/leftover permissions too broad | Access is granted that nobody intended — e.g. a deploy ships with "allow all" still on |
| 2 | Insecure IDs (IDOR) | Object referenced by a guessable ID with no ownership check | Change /account/1234 → /account/1235 to read someone else's record |
| 3 | Forced browsing | Guessing/typing a privileged URL directly | /admin/users works because the page, not the request, was "protected" |
| 4 | Path traversal | ../ escapes a path-based role boundary |
/users/../managers/salaries lands in a folder the role shouldn't reach |
| 5 | LFI/RFI | User input chooses which file the server loads | ?page=../../etc/passwd reads system files (or runs remote code) |
| 6 | Client-side caching | Sensitive responses cached in the browser | Data stays readable via the Back button after logout, on a shared PC |
| 7 | Untrusted input for auth | Role/identity taken from the request | Sending role=admin in the URL/form makes the user an admin |
| 8 | Missing function-level AC | An endpoint simply has no check | The API trusts that "the UI hid the button," so a direct call succeeds |
Why these dominate: Broken Access Control was #1 in the OWASP Top 10 (2021). The checks are scattered logic, not a single library, so one forgotten endpoint is enough — and verifying them is combinatorial: every endpoint × every role × every action must be tested.
See: OWASP Authorization Cheat Sheet
Go deeper:
OWASP Top 10 — A01: Broken Access Control — the #1 risk; backs the "94% of apps had some broken access control" figure.