Understanding API access control vulnerabilities

Access control vulnerabilities pose significant security risks in APIs, allowing unauthorized users to access, modify, or delete data that should be restricted. These vulnerabilities can lead to data breaches, privacy violations, and unauthorized system access.

This document explains the three main types of access control vulnerabilities that Invicti Platform can detect: IDOR, BOLA, and BFLA, and helps you understand the critical difference between horizontal and vertical access control issues.

What are access control vulnerabilities?

Access control vulnerabilities occur when an application fails to properly verify that a user has permission to access a resource or perform an action. These vulnerabilities fall into three main categories:

BOLA (Broken Object Level Authorization)

Broken Object Level Authorization is a security vulnerability where users can access objects they are not authorized to view, modify, or delete. This occurs when an API fails to verify that the authenticated user has permission to access the specific object being requested.

For example, if a user can view another user's profile or account details by simply changing an ID in the URL, this is a BOLA vulnerability.

IDOR (Insecure Direct Object References)

Insecure Direct Object References are a specific type of BOLA vulnerability. IDOR occurs when an application exposes a reference to an internal implementation object (such as a file, directory, database record, or key) in a way that allows attackers to manipulate these references.

IDOR and BOLA are often used interchangeably, as IDOR issues are essentially a subset of BOLA vulnerabilities.

BFLA (Broken Function Level Authorization)

Broken Function Level Authorization is a vulnerability where users can access application functions or API endpoints that should be restricted to higher privilege levels. This occurs when the application fails to properly enforce authorization checks on sensitive operations.

For example, if a regular user can access administrative functions or execute privileged operations without proper authorization, this is a BFLA vulnerability.

Horizontal vs. vertical access control

Access control vulnerabilities are categorized into two types based on how privilege boundaries are crossed:

Horizontal access control issues

Horizontal access control issues occur when a user can access resources or perform actions that should only be available to other users at the same privilege level.

Real-world examples:

Banking API scenario:

User Alice (account ID: 12345) can access /api/accounts/67890 and view User Bob's bank account details
Both users are regular customers with identical permission levels
This violates horizontal access control as Alice should only access her own account data

E-commerce API scenario:

Customer John can modify order /api/orders/999 which belongs to Customer Jane
Both are regular customers who should only manage their own orders
John discovered this by changing the order ID in the API request

Social media API scenario:

User @alice can delete posts belonging to @bob via /api/posts/{post_id}/delete
Both users have standard user accounts
Alice found she could delete any post by guessing or incrementing post IDs

Vertical access control issues

Vertical access control issues occur when a user can access resources or perform actions that should only be available to users at a higher privilege level.

Real-world examples:

User management API scenario:

Regular user can access /api/admin/users endpoint and retrieve all user data
This endpoint should only be accessible to administrators
The regular user discovered this endpoint through API documentation or by guessing common admin paths

Content management system scenario:

Standard editor can access /api/admin/settings and modify global system configurations
Only administrators should have permission to change system-wide settings
The editor bypassed UI restrictions by calling the API directly

Financial application scenario:

Regular employee can execute /api/admin/reports/financial and access sensitive financial reports
This functionality should be restricted to executives or finance team members
The employee exploited missing server-side authorization checks

Why access control vulnerabilities matter

Access control vulnerabilities can have severe consequences for organizations:

Data privacy impact

Personal data exposure: Users' sensitive information (emails, addresses, financial data) becomes accessible to unauthorized parties
GDPR/compliance violations: Improper access controls can lead to regulatory fines and legal issues
Identity theft risks: Exposed personal information can be used for malicious purposes

Business impact

Competitive disadvantage: Unauthorized access to business data, strategies, or customer information
Financial losses: Direct monetary impact from data breaches, regulatory fines, and lost customer trust
Operational disruption: Unauthorized modifications or deletions can disrupt business operations

Security impact

Privilege escalation: Attackers can gain higher-level access to systems and data
Lateral movement: Initial access control bypass can lead to broader system compromise
Data integrity issues: Unauthorized modifications can corrupt critical business data

Common vulnerability patterns

Understanding these common patterns can help you identify potential access control issues in your APIs:

Predictable object references

Sequential IDs (user/123, order/456, document/789)
GUIDs that can be enumerated or guessed
Usernames or email addresses in URLs

Missing authorization checks

Endpoints that verify authentication but skip authorization
Client-side access control that can be bypassed
Default "allow" permissions instead of "deny"

Inadequate privilege separation

Shared resources between different user types
Mixed permission models within the same application
Unclear boundaries between user roles and privileges

Next steps

Now that you understand access control vulnerabilities, you're ready to:

Configure your API testing: Learn how to configure API authorization for access control testing
Run comprehensive scans: Understand how to scan and troubleshoot API access control issues
Review the overview: See the complete API access control testing guide

API catalog overview - Manage your API inventory
Add, edit or delete API authorization - Basic credential management
Scan REST APIs - General information about scanning REST APIs

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?

What are access control vulnerabilities?​

BOLA (Broken Object Level Authorization)​

IDOR (Insecure Direct Object References)​

BFLA (Broken Function Level Authorization)​

Horizontal vs. vertical access control​

Horizontal access control issues​

Vertical access control issues​

Why access control vulnerabilities matter​

Data privacy impact​

Business impact​

Security impact​

Common vulnerability patterns​

Predictable object references​

Missing authorization checks​

Inadequate privilege separation​

Next steps​

Related topics​

Need help?​