Exploitation of missing or broken access control is a common security threat. Lack of access control can be detected manually or, in some cases, by using automated tools. This can allow attackers to act with elevated privileges, which may allow them to retrieve, add, update, or delete data.

Applications must verify security rights not just on the UI side but also on the server side. Even if the functionality is hidden in the UI from users who do not have proper access rights, attackers may attempt to alter the URL, application state, identity tokens, or access tokens, or forge requests, to gain access to unauthorized functionality.

From the client side, development teams should ensure that the UI prevents the use of ...