Completely Unprotected Functionality

In many cases of broken access controls, sensitive functionality and resources

can be accessed by anyone who knows the relevant URL. For example, there

are many applications in which anyone who visits a specific URL is able to

make full use of its administrative functions:

https://wahh-app.com/admin/

In this situation, the application typically enforces access control only to the

following extent: users who have logged in as administrators see a link to this

URL on their user interface, while other users do not. This cosmetic difference

is the only mechanism in place to “protect” the sensitive functionality from

unauthorized use.

Sometimes, the URL that grants access to powerful functions may be less

easy to guess, and may even be quite cryptic, for example:

https://wahh-app.com/menus/secure/ff457/DoAdminMenu2.jsp

Here, access to administrative functions is protected by the assumption that

an attacker will not know or discover this URL. The application is harder for a

complete outsider to compromise, because they are less likely to guess the

URL by which they can do so.