Testing for Broken Access Control

When to Use

• During authorized penetration tests as the primary assessment for OWASP A01:2021 - Broken Access Control
• When evaluating role-based access control (RBAC) implementations across all application endpoints
• For testing multi-tenant applications where users in one organization should not access another's data
• When assessing API endpoints for missing or inconsistent authorization checks
• During security audits where privilege escalation and unauthorized access are primary concerns

Prerequisites

• Authorization: Written penetration testing agreement for the target
• Burp Suite Professional: With Authorize extension for automated access control testing
• Multiple test accounts: Accounts at each role level (admin, manager, user, guest)
• Application role matrix: Documentation of what each role should and should not access
• curl/httpie: For manual endpoint testing with different authentication contexts
• ffuf: For discovering hidden endpoints that may lack access controls