Broken access control continues to be a significant concern in cybersecurity, consistently ranking as the number one risk in the OWASP Top 10 list. A recent study by Kaspersky Security Assessment experts found that between 2021 and 2023, 70% of the web applications examined exhibited vulnerabilities related to access control and data protection. These flaws can lead to unauthorized access, data alteration, or deletion, posing substantial risks to organizations. usa.kaspersky.com
The prevalence of broken access control is further underscored by its consistent appearance at the top of the OWASP Top 10 list. The 2025 release candidate indicates that 100% of the applications tested had some form of broken access control, with notable Common Weakness Enumerations (CWEs) including CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, CWE-201: Exposure of Sensitive Information Through Sent Data, and CWE-918: Server-Side Request Forgery (SSRF). owasp.org
Key Takeaways
- Broken access control is the top-ranked risk in the OWASP Top 10 list.
- A Kaspersky study found 70% of web applications had access control vulnerabilities between 2021 and 2023.
- The 2025 OWASP Top 10 release candidate reports 100% of tested applications had broken access control issues.
- Common vulnerabilities include exposure of sensitive information and server-side request forgery.
- Addressing these vulnerabilities is crucial to prevent unauthorized access and data breaches.