To avoid incidents of broken access control, it is essential to choose and stick to one access control model for your application throughout development and to continuously test it to ensure few points of failure. The four standard access control models include Mandatory Access Control (MAC), Role-Based Access Control (RBAC), Discretionary Access Control (DAC), and Rule-Based Access Control (RBAC or RB-RBAC). Each model has positives and negatives and must be selected carefully for your system design and purpose.
EXAMPLE OF AN ATTACK.
Partially checking access controls (black-list mode) is risky. In case the developer adds some other pages but forgets to update the access control logic, there could be a viable breach where users without proper access rights could still visit those pages and perform malicious actions.
Previous OWASP article: OWASP #4 XML EXTERNAL ENTITIES (XXE)
Click here to learn more about the OWASP Top Ten, and how Xcalscan can help you identify and resolve them.