Broken Access Control Through Business Logic Vulnerabilities

Broken Access Control (BAC) vulnerabilities consistently occupy leading positions in the OWASP Top 10 ranking. In 2022, I already conducted a masterclass dedicated to this topic: "Finding IDOR (BOLA) Vulnerabilities". This time, I want to address problems much deeper than simple errors in authorization implementation.

This talk is dedicated to a less obvious, but extremely dangerous category of threats: Broken Access Control, arising from flaws in the application's business logic itself.

We will look at examples from bug bounty programs and real projects to see what business logic problems lead to BAC. Among them:

• Default permissions;
• Integration;
• Auto-renewal;
• Permission collisions;
• Permissions revoked;
• Sequence problems;
• Error handling.

The goal of the talk is to teach thinking "like a hacker," identifying hidden logical chains that can be exploited to violate access control. I hope after my masterclass development teams will start thinking about the discussed problems in their applications.