A01: Broken Access Control
Simulate accessing an admin's account from a regular user's session by manipulating the ID in the URL.
Interactive Simulation
Log in as a regular user to begin.
How to Simulate
- Click 'Login as Alice' to start the simulation.
- With the defense disabled, change the Account ID in the URL bar from 123 to 124.
- Click "Go" and observe that you can see the Administrator's account details.
- Enable the 'Enforce Authorization' defense and try to view account 124 again.
- Observe that the request is now blocked.
Explanation
Broken Access Control occurs when restrictions on what authenticated users are allowed to do are not properly enforced. This allows attackers to access unauthorized functionality or data, such as accessing other users' accounts, viewing sensitive files, or modifying other users' data.
In this simulation, the application determines which user account to display based on an ID in the URL. Without proper checks, an attacker can simply change this ID to view any other user's account, including an administrator's.
Toggle Defense
Enabling this ensures the server verifies that the ID of the resource you're trying to view matches the ID in your session. This blocks unauthorized access attempts.