A01 — Broken Access Control Secure

1000-ft view: access control fails when apps don’t consistently enforce who can access which resources or functions. These secure demos show how to handle: IDOR (numeric), IDOR (guessable “UUID”), Function-level auth, Mass assignment, and Direct object access (DOR).

Attack 1 Attack 2 Attack 3 Attack 4 Attack 5

Uses the shared DB with module-scoped tables (a01_*). Seed data lives in db/seed.sql. Compare with the Insecure version.

Attack 1 — IDOR (Numeric ID)

enforce owner in WHERE

Secure idea: when fetching a note by numeric id, include the current user’s id in the query (e.g., WHERE id=? AND user_id=?). Never fetch first then filter in PHP.

  1. Enter a Note ID you own (see seed notes for your user).
  2. Submit — the endpoint enforces ownership and only shows your note.
List My Notes

Attack 2 — IDOR (Guessable “UUID”)

unguessable ids + auth

Secure idea: if using a public identifier like public_id, make it unguessable (e.g., 128-bit random encoded) and still enforce access rules. Don’t rely on obscurity alone.

  1. Enter a note’s public_id you own.
  2. Submit — endpoint checks both public_id and owner.

Attack 3 — Function-Level Authorization

server-side role check

Secure idea: don’t rely on hidden buttons or client checks. The server must verify the caller’s role (e.g., admin) inside the action.

  1. Enter a user id to promote.
  2. Submit — secure endpoint checks current_user()->is_admin first.

Attack 4 — Mass Assignment

allowlist fields only

Secure idea: ignore unexpected fields from clients; update only an allowlist (e.g., display_name). Never accept is_admin or credit blindly.

  1. Edit your profile. The secure endpoint only updates the allowlisted field(s).
  2. Attempts to set is_admin=1 or credit=9999 are ignored/clamped.

Attack 5 — Direct Object/File Access (DOR)

owner check + canonical path

Secure idea: fetch files by a DB record that encodes ownership (files.user_id). Check owner in SQL, then resolve a canonical path under a safe root.

  1. Enter a File ID you own, or click “List My Files.”
  2. Open the file — endpoint ensures the file belongs to you and the path is safe.
List My Files