• Injection flaws: untrusted input injected into an application.
• Cross-site scripting (XSS): untrusted input is included in a web page output.
• Broken authentication/session management: the application doesn't validate or protect information.
• Inadequate role-based authorization or allowing users to access functionality beyond their permission.
• URL tampering to gain access to restricted content.
• Missing function-level access control or not adequately limiting access to specific functions.
• Manipulating URL parameters to access restricted areas/resources.
• Session fixation occurs when an attacker gains unauthorized access by forcing a user to use a specific session ID.
• Allowing unauthorized domains to access resources by way of improperly configured cross-origin resource sharing (CORS).
• Accessing authorized data by manipulating the identifier in URLs because the application directly exposed the object identifier (IDOR-insecure direct object references).

How can we prevent/mitigate broken access control? There are several ways to prevent unauthorized individuals from "entering an area or using a resource" by following defense-in-depth and least privilege principles.

• Follow "deny by default" unless publicly accessible.
• Make sure there is robust user authentication and authentication mechanisms in place.
• Validate user inputs.
• Secure session management.
• Minimize Cross-Origin Resource Sharing (CORS) usage by using access control in the application.
• Access validation: an attacker attempts to tamper with an application/database, and the system catches it, checks for credentials, nope? Access not allowed.
• Test and audit controls put in place! Regularly review and update any access control policies.
• Conduct regular security audits.

This is just a small excerpt on Broken Access Control. Check out more at OWASP.org! https://owasp.org/Top10/A01_2021-Broken_Access_Control/