This lesson will explore a small application demonstrating the danger of broken access control.

Identify and Prevent Broken Access Control

Before we can identify any vulnerabilities within our code, we need to obtain a proper understanding of the code. Let's discuss the intended flow of the code, starting with the login function.

Understanding Our Application

Our last exercise found that the validation code surrounding the `account_password` feature was not properly securing individual accounts. To understand why let's dive into the `validate_request` and `account_page_password` methods. Additionally, we'll look at the `account_secret_phrase` method, as we know this function is properly restricting user's access. Once we understand why the code is broken, the fix can be implemented easily.

Remediating Broken Access Controls

In our modern era, applications are becoming increasingly more robust, dynamic, and complex. Given the increased complexity, it is only natural that vulnerabilities will find their way into our applications. However, as developers, we must ensure we are vigilant against any issues.

One common addition found within most modern applications is the ability to provide users with access to persistent information directly related to their activity. In many applications, developers will implement accounts to provide a manner for users to control and maintain data on the application. Of course, while this may sound simple, adding accounts and private information introduces various challenges and vulnerabilities to the application.

This short lesson will explore a small application demonstrating a basic example of broken access controls. In this lesson, we'll be able to learn the following:

- Review our code for potential access control vulnerabilities.
- Validate the existence of these vulnerabilities via active exploitation.
- Remediate our code and remove the vulnerability.


A microscope scanning or searches for vulnerabilities on a computer. 

Broken Access Controls

As mentioned, applications are becoming increasingly more robust, dynamic, and complex in our modern era. Given the increased complexity, it is only natural that vulnerabilities will find their way into our applications. However, as developers, we must ensure we are vigilant against any issues. 

This short lesson explored a small application demonstrating a basic example of broken access controls. We've done the following:

- Reviewed our code for potential access control vulnerabilities.
- Validated the existence of these vulnerabilities via active exploitation.
- Remediated our code and removed the vulnerability.




A microscope scanning or searching for vulnerabilities on a computer.

Conclusion

Now that we understand how the code is supposed to work let's take a look at what's actually happening. 

Let's log in and validate that the **protected** endpoints are protected. 

Let's leverage the user1 account. 