Within the application's core security mechanisms, access controls are logically built upon authentication and session management. So far, you have seen how an application can first verify a user's identity and then confirm that a particular sequence of requests that it receives originated from the same user. The primary reason that the application needs to do these things, in terms of security at least, is because it needs a way of deciding whether it should permit a given request to perform its attempted action or access the resources that it is requesting. Access controls are a critical defense mechanism within the application because they are responsible for making these key decisions. When they are defective, an attacker can often compromise the entire application, taking control of administrative functionality and accessing sensitive data belonging to every other user.

As we noted in Chapter 1, broken access controls are among the most commonly encountered categories of web application vulnerability, affecting a massive 78% of the applications recently tested by the authors. Somewhat incredibly, it is extremely common to encounter applications that go to all the trouble of implementing robust mechanisms for authentication and session management, only to squander that investment by neglecting to build any effective access controls upon them.

Access control vulnerabilities are conceptually very simple: the application is letting you do something ...