[Derrick Adams]

Broken Access Control happens when an app fails to enforce “who can do what.” Attackers can change a URL, swap an ID in a request, or replay a method to view or edit another user’s data. In worse cases, they can act as an admin without proper rights. The impact is high because it lets someone read, change, or delete sensitive records with very little effort.
This control is critical because access checks must occur on every request. A single missed check creates a direct path to data exposure or account takeover. Strong defenses include deny-by-default rules, server-side authorization for each action, and mapping roles to least-privilege permissions. Avoid trusting anything from the client (IDs, roles, or UI state), centralize access checks in middleware, log decisions, and add automated tests for IDOR and method-bypass cases. Done right, access control limits the blast radius of any account and protects the whole system.