OWASP_TOP10A01:2021voice-validated
OWASP_TOP10 A01: A01:2021
OWASP_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorised information disclosure, modification, or destruction of data, or performing a business function outside the user's limits. Common vulnerabilities include violation of the principle of least privilege, bypass via URL tampering or parameter modification, elevation of privilege, metadata manipulation, and CORS misconfiguration.
ATT&CK techniques this article tests · 0
| Technique | Why it maps | Confidence |
|---|
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1033 | 1. This mitigation directly enforces the "principle of least privilege", preventing unauthorized actions by users. | 100% |
| M1035 | 1. Strict resource access limits prevent users from acting "outside of their intended permissions", a core access control principle. | 100% |
| M1038 | 1. Proper account provisioning and deprovisioning prevent unauthorized access and privilege creep, maintaining secure access control. | 100% |
| M1047 | 1. Secure configuration of access control mechanisms prevents "CORS misconfiguration" and other flaws, as highlighted in the control. | 100% |
| M1049 | 1. Regular vulnerability scanning identifies "common vulnerabilities" like broken access control before exploitation occurs. | 90% |
| M1031 | 1. Two-factor authentication enhances authentication, making it harder to bypass access controls even with stolen credentials. | 80% |
| M1046 | 1. Comprehensive auditing detects and logs "unauthorised information disclosure, modification, or destruction" attempts, enabling rapid response. | 90% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-284 | 1. This CWE is the direct definition of "Improper Access Control", which is the core issue described in the article. | 100% |
| CWE-285 | 1. This weakness directly causes users to "act outside of their intended permissions", leading to unauthorized actions. | 100% |
| CWE-269 | 1. This directly relates to "violation of the principle of least privilege" mentioned in the control text, a key access control failure. | 100% |
| CWE-862 | 1. Lack of authorization checks allows "performing a business function outside the user's limits", a direct consequence of broken access. | 100% |
| CWE-863 | 1. Flawed authorization logic leads to "unauthorised information disclosure, modification, or destruction", as described in the control. | 100% |
| CWE-306 | 1. This is a specific instance of broken access control, allowing unauthorized function execution due to missing authentication. | 90% |
| CWE-639 | 1. This weakness directly enables "bypass via URL tampering or parameter modification", a method explicitly mentioned in the control text. | 90% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0171 compute · voice-rubric self-validated · 1 hallucination(s) dropped at validation