What is Broken Access Control?
Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data.
Common Exploits:
- IDOR (Insecure Direct Object Reference) - changing IDs in URLs
- Forced browsing to admin pages without authentication
- Accessing API endpoints without proper authorization
- Privilege escalation by modifying role parameters
Before WAF: Vulnerable
Without Cloudflare WAF, these requests succeed and expose unauthorized data
Step 1: Access User Data Without Auth
# Access any user's data by changing the ID parameter
/api/access-control?id=1
/api/access-control?id=2
/api/access-control?id=3
# Response shows user's email, role, and other data
# WITHOUT requiring authentication!Vulnerability: API returns data based solely on ID parameter with no session validation.
After WAF: Protected
With Cloudflare WAF Managed Rules enabled, unauthorized access is blocked
Enable Cloudflare Protection:
- Go to Cloudflare Dashboard → Security → WAF
- Enable "Cloudflare Managed Ruleset"
- Enable "OWASP Core Ruleset"
- Set sensitivity to "High"
Result: Requests without valid session tokens are blocked with 403 Forbidden response.
Cloudflare WAF Protection
- ✓Access Control Rules: Enforce authentication at the edge
- ✓Token Validation: Verify JWT/session tokens before reaching origin
- ✓Rate Limiting: Prevent brute force ID enumeration