Authorization is the security process that determines what an authenticated user is allowed to do. While authentication verifies identity, authorization enforces permissions. It answers the question "What are you allowed to access?" and controls whether a user can view specific data, perform certain actions, or access particular resources within an application.
How It Works
Authorization is typically implemented through access control models. Role-Based Access Control (RBAC) assigns permissions based on predefined roles such as admin, editor, or viewer. Attribute-Based Access Control (ABAC) makes decisions based on attributes of the user, resource, and environment. Discretionary Access Control (DAC) allows resource owners to grant permissions to others.
In web applications, authorization checks occur on every request that accesses protected resources. When a user requests to view a document, the server verifies that the user's role or permissions include read access to that specific document. When a user attempts to delete an account, the server confirms they have administrative privileges. These checks must happen server-side because client-side restrictions can be trivially bypassed.
A common and dangerous mistake is implementing authorization checks only on the frontend. An application might hide the "Delete User" button from non-admin users but fail to verify permissions when the delete API endpoint is called directly. An attacker who discovers the endpoint can simply send the request without ever interacting with the frontend, bypassing the intended restriction entirely.
Why It Matters
Broken authorization is one of the most prevalent and impactful vulnerability categories in modern applications. It enables attackers to access other users' data, escalate privileges to administrative levels, or perform actions they should never be permitted to take. Security assessments specifically target authorization logic by manipulating user identifiers, switching roles, and testing every endpoint with different privilege levels to identify gaps in enforcement.
Need your application tested? Get in touch.