The OWASP Top 10 | Broken Access Control (Laravel) بالعربي
Below is a short overview of Broken Access Control from the OWASP Top 10. The walkthrough is in Arabic; technical terms stay familiar if you work with Laravel and APIs.
Video (AR)
The OWASP Top 10 — Broken Access Control (Laravel), بالعربي.
The OWASP Top 10 | Broken Access Control
In the 2021 revision, Broken Access Control moved to the top of the list. It is not a single bug class but a family of mistakes where the application fails to enforce the rule: “is this user allowed to do this, on this object, every time?”
Typical failures include horizontal privilege issues (user A can read user B’s data) and vertical issues (a normal user can reach admin actions). IDOR (insecure direct object references) is a common example—swapping an ID in a URL or API call and the server does not re-check policy.
Why it is dangerous: Access control runs on the server. Client-side hiding of buttons or routes does not count; attackers skip the UI. Every state-changing request must verify authorization, not only authentication (“who is logged in”).
Laravel in practice: use Policies / Gates, route middleware, and explicit checks in controllers; pair authorize() with route model binding; watch for mass-assignment and implicit trust of IDs from the client.
Primary reference: OWASP Top 10 (2021) — A01: Broken Access Control.