In the OWASP Top 10 2013, the A7 vulnerability was Missing Function Level Access Control. For the new 2017 edition, that vulnerability is integrated into the broader Broken Access Control, and is ranked in fifth position. This new category covers vulnerabilities where an unauthenticated or unauthorized user can access restricted information by directly browsing it, or when a low privilege user is able to escalate privileges and even improper configurations of CORS policies.

In this recipe, we will take a look at some recommendations to improve the access control of our applications.