https://www.secdev.uk/blog/tags/cwe-639/ Recent content in CWE-639 on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 15 Feb 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-02-15-broken-access-control/ Sat, 15 Feb 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-02-15-broken-access-control/ <p>Broken access control sits at the top of the OWASP Top 10 for good reason, and it&rsquo;s the vulnerability class I find most fascinating to research. It&rsquo;s the most common serious vulnerability in modern web applications, and it&rsquo;s almost entirely a logic problem, no amount of input sanitization or encryption fixes it. The application simply fails to verify that the authenticated user is authorized to perform the requested action on the requested resource. In this post, I want to walk through the patterns that show up across Python, Java, and Go, from the IDOR that any pentester would find in minutes to the subtle authorization gaps that can survive months of code review.</p>