← Back to sandbox
Security - Authorization Beginner-Intermediate 6 possible tests

Broken Access Control

Switch between users and test which endpoints enforce role and ownership checks - and which ones don't.

Simulated Session - Acting As

Acting as alice user

What is Broken Access Control?

Access control enforces that users can only perform actions they are permitted to. Broken access control means a regular user can access admin functions, other users' data, or perform actions restricted to specific roles.

What is hidden here

True PositiveAdmin panel correctly returns 403 to regular users
True NegativeAdmin user can access the admin panel
Bug FoundDelete endpoint has no ownership check - any user can delete any card
True PositiveDelete endpoint with ownership check correctly blocks the operation
Bug FoundAdmin data endpoint returns sensitive data to non-admin users
True PositiveProtected endpoint correctly returns 403 for non-admin
TEST 1
Access Admin Panel
The admin panel should only be accessible to users with the admin role. Switch users to see how the response changes.
POST /qa-sandbox/access-control/
action=admin-panel   user=alice
TEST 2
Delete Card - No Ownership Check
This delete endpoint processes the request without verifying that the acting user owns the card. Try deleting a card belonging to someone else.

SELECT TARGET CARD

Card #1 - Alice Card #2 - Bob Card #3 - Carol
POST /qa-sandbox/access-control/
action=delete-no-check   user=alice   card_id=1
TEST 3
Delete Card - With Ownership Check
This endpoint verifies that the acting user owns the card before processing the delete. Try the same action as Test 2 - the result should be different.
Card #1 - Alice Card #2 - Bob Card #3 - Carol
POST /qa-sandbox/access-control/
action=delete-with-check   user=alice   card_id=1
TEST 4
Admin Data Endpoint
This endpoint returns user list, emails, and system notes. It should require admin role. It does not.
POST /qa-sandbox/access-control/
action=admin-data   user=alice
TEST 5
Protected Endpoint
This endpoint correctly enforces role-based access control. Use it as a baseline to compare against the broken endpoints above.
POST /qa-sandbox/access-control/
action=protected-endpoint   user=alice
  • Test 1: Switch to Alice or Bob, click GET /admin-panel/ - expect 403 (true positive)
  • Test 1: Switch to Admin, click GET /admin-panel/ - expect access granted (true negative)
  • Test 2: Switch to Alice, target Card #2 (Bob's), click DELETE - request succeeds with no check (bug found)
  • Test 3: Same action - Alice targeting Bob's card - this time correctly blocked with 403 (true positive)
  • Test 3: Switch to Bob, target Card #2 - own card, delete succeeds (true negative)
  • Test 4: Switch to Alice (regular user), click GET /admin/data/ - admin data returned without role check (bug found)
  • All tests are Postman-compatible: POST x-www-form-urlencoded with action and user params