Broken Access Control: Why It's the #1 Web Application Vulnerability cho Doanh nghiệp Việt Nam

Broken Access Control has held the number-one position in the OWASP Top 10 since 2021 and retained it in the 2025 edition. It encompasses vulnerabilities where users can act outside their intended permissions — accessing other users' data, modifying records they shouldn't, or escalating their role. The most common manifestation is Insecure Direct Object References (IDOR), where changing an ID parameter in a request grants access to another user's data. Automated scanners consistently fail to detect these flaws because they cannot understand which data belongs to which user. Finding broken access control requires a human tester who maps the intended authorisation model and systematically tests every endpoint with every role — verifying that User A cannot reach User B's resources across every data access path.