broken-access-control
Safeguard articles tagged "broken-access-control" — guides, analysis, and best practices for software supply chain and application security.
11 articles
AI-driven DAST for modern applications
73% of open-source developers now use AI coding tools. Dynamic testing built for nightly crawls can't keep pace with apps that reshape their attack surface daily.
Broken access control in Express: the OWASP #1 risk, fixed with middleware
Broken access control now shows up in 100% of tested applications, per OWASP's 2025 Top 10 — up from 94% in 2021. Here's how to close it in Express.
Confluence Broken Access Control Zero-Day (CVE-2023-22515) Explained
CVE-2023-22515 let unauthenticated attackers create rogue administrator accounts on Confluence Data Center and Server. Here's the broken-access-control flaw and how to fix it.
OWASP A01: Broken Access Control — A Deep-Dive Guide
Broken Access Control is the #1 OWASP Top 10 (2021) risk. A deep dive into IDOR, missing authorization, real CVEs, and how to detect and fix it in 2026.
Preventing broken access control in Express.js applications
Express.js ships with no built-in authorization layer, making broken access control easy to introduce and hard to catch with pattern-based scanners.
What is Broken Access Control
Broken access control is OWASP's #1 web risk, found in 94% of apps tested. See how IDOR flaws breached First American, USPS, and Parler.
What is Insecure Direct Object Reference (IDOR)
IDOR lets attackers access other users data just by changing an ID in a URL or API call. Learn how it works, real breaches, and how to fix it.
Confluence Zero-Day Lessons: What CVE-2023-22515 Showed About SaaS-Adjacent On-Prem Risk
The Confluence broken access control zero-day from October 2023 hit thousands of self-hosted instances. A 2026 look at the exploit, the response, and the durable lessons.
Insecure direct object reference (IDOR) explained
IDOR lets attackers access other users' data by editing an ID in a request. See how it broke USPS, Panera, and First American — and how to actually fix it.
Broken access control explained
Broken access control has topped OWASP's Top 10 since 2021. See real breaches, common patterns like IDOR, and how to detect and fix them.
Broken Function Level Authorization (BFLA) in APIs
BFLA lets a regular user call admin-only API functions. Here's how the USPS, Peloton, and Coinbase incidents happened — and how to catch it before attackers do.