Broken Access Control — Vulnerable Version

How to Test This Vulnerability

  1. Navigate to the vulnerable login page: /broken-access-control/vulnerable/login.
  2. Log in with the provided credentials for user and admin. The user should see an "Unauthorized Access" message on the admin dashboard.
  3. Open browser dev tools (F12) and go to the Application tab.
  4. Modify the user  cookie’s role from user  to admin.
  5. Revisit: /broken-access-control/vulnerable/admin to see unauthorized access succeed.
  6. You’ve now bypassed access control by tampering with client-side data — illustrating the vulnerability.

Why This Is a Vulnerability

The app uses cookies to determine access level — specifically a role  value. Since this can be edited by the user, it allows unauthorized privilege escalation.

Access control must be enforced on the **server-side**. Never trust values stored in the client to determine access permissions.