BugQuest 2026: 31 Days of Broken Access Control

In March 2026, we ran BugQuest, a 31-day campaign covering everything you need to know about finding and exploiting broken access control vulnerabilities. From understanding the basics of authentication and authorization to spotting subtle authorization bypasses in real code, we broke down one of the most critical vulnerability classes in modern web applications.

Broken access controls have consistently remained at the top of the OWASP Top 10, and for good reason. As applications grow more complex with role-based permissions, multi-tenant architectures, and granular access models, the attack surface for authorization flaws expands significantly. Unlike vulnerabilities that stem from insufficient input sanitization, broken access controls arise from flawed or missing enforcement of authorization rules, allowing attackers to access resources and perform actions beyond their intended privileges.

Below, you'll find all 31 posts from our recent BugQuest series. Whether you're new to authorization testing or looking to sharpen your skills, this collection covers the basics, discovery techniques, exploitation methods, and real-world practice scenarios you need to start finding these vulnerabilities in the wild.

Let's dive in!

Day 1: Understanding Broken Access Controls (A01:2025)

Learn what broken access control is and why it remains the most critical vulnerability on the OWASP Top 10 2025.

Day 2: Authentication vs Authorization

Understanding the fundamental difference between authentication and authorization and why confusion between the two leads to critical security vulnerabilities.

Day 3: Common Authentication Methods

Exploring the four most common HTTP authentication methods: session cookies, bearer tokens, API keys, and HTTP basic authentication.

Day 4: Authorization-Level Checks

Breaking down the three main types of authorization checks: vertical privilege escalation, horizontal privilege escalation, and custom function-level checks.

Day 5: Authorization Models Explained

Understanding RBAC, ABAC, DAC, and MAC - the four authorization models that power modern web applications and where they're most commonly broken.

Day 6: Reporting Impactful BAC Flaws

How to write compelling broken access control reports that demonstrate real impact using the CIA triad: confidentiality, integrity, and availability.

Day 7: Where BACs Commonly Arise

The seven most common places where broken access controls appear: new features, premium features, legacy code, third-party integrations, APIs, complex permission systems, and file operations.

Day 8: Discovering BAC Vulnerabilities

An overview of the seven primary discovery methods for finding broken access control vulnerabilities during security assessments and bug bounty hunting.

Day 9: Common Configuration Files

Exploring robots.txt, sitemap.xml, security.txt, .well-known directories, package.json, swagger.json, and .git/config files that leak valuable endpoint information.

Day 10: Content Discovery & Fuzzing

Using ffuf and other fuzzing tools to discover hidden endpoints, admin panels, and API routes that may lack proper authorization checks.

Day 11: JavaScript Enumeration

Techniques for extracting API endpoints from JavaScript files using LinkFinder, JSParser, and manual analysis to find hardcoded routes and function calls.

Day 12: API Documentation Mining

Leveraging Swagger, OpenAPI specs, and other API documentation to discover endpoints and understand expected authentication and authorization requirements.

Day 13: Third-Party Intelligence Sources

Finding endpoints through GitHub code search, Wayback Machine, Postman collections, Pastebin, Certificate Transparency logs, Shodan, and mobile app stores.

Day 14: GraphQL Introspection

Using GraphQL introspection queries and IDE auto-complete features to enumerate all available queries, mutations, and fields in GraphQL APIs.

Day 15: Mobile Application Analysis

Static and dynamic analysis techniques for mobile apps including APK/IPA unpacking, certificate pinning bypass, local storage inspection, and API version discovery.

Day 16: BAC Testing Methodology

A three-step methodology for systematically testing authorization: discovery (find all endpoints), context (understand the authorization model), and test (verify enforcement).

Day 17: Request Method Tampering

Exploiting authorization checks that only validate specific HTTP methods - bypassing GET restrictions by switching to POST, PUT, or other methods.

Day 18: HTTP Parameter Pollution

Using duplicate parameters, arrays, and special characters to confuse authorization logic and bypass access controls through parameter pollution.

Day 19: Static Keyword Swapping

Replacing keywords like "me", "current", or "my" with actual user IDs to bypass authorization checks that assume users only reference themselves.

Day 20: JWT Vulnerabilities

Exploiting JWT algorithm confusion attacks where applications accept tokens signed with different algorithms than intended, particularly RS256 to HS256 confusion.

Day 21: Logic Flaws in Authorization

Identifying multi-step workflows where authorization checks are inconsistent or missing between steps, leading to logic-based access control bypasses.

Day 22: Second-Order Attacks

Exploiting middleware architectures and path traversal in proxied requests where authorization is checked in one context but executed in another.

Day 23: Spot the Vulnerability #1 - Basic IDOR

Practice challenge featuring a classic missing authorization check - the most fundamental form of broken access control you'll encounter.

Day 24: Spot the Vulnerability #2 - Keyword/UUID Swapping

Practice challenge demonstrating how endpoints that accept both keywords and direct IDs can be exploited by bypassing the keyword resolution logic.

Day 25: Spot the Vulnerability #3 - Request Method Swapping

Practice challenge showing authorization checks tied to specific HTTP methods, where GET is protected but POST/PUT bypass the authorization entirely.

Day 26: Spot the Vulnerability #4 - Unprotected GraphQL

Practice challenge featuring GraphQL resolvers that check authentication but never validate authorization on queries and mutations.

Day 27: Spot the Vulnerability #5 - JWT Algorithm Confusion

Practice challenge demonstrating JWT validation without algorithm specification, allowing attackers to exploit RS256 to HS256 algorithm confusion.

Day 28: Spot the Vulnerability #6 - Second-Order Attack

Practice challenge showing path traversal in middleware that validates authorization but doesn't sanitize parameters before forwarding to internal services.

Day 29: Spot the Vulnerability #7 - URL-Matching Discrepancies

Practice challenge featuring Rails format-based authorization bypass where authorization checks only apply to HTML requests, not JSON format requests.

Day 30: Automated Testing Tools

Introduction to Firefox Multi-Account Containers for testing multiple user sessions simultaneously and Burp Suite Autorize for automated authorization testing at scale.

Day 31: Automated Testing Tools

Introduction to Burp Suite Autorize for automated authorization testing at scale.

Additional Resources

Check out the additional resources below to dive deeper into broken access control vulnerabilities and start hunting!

📚 Dive deeper into BACs: go.intigriti.com/exploiting-bac

🎯 Start hunting: go.intigriti.com/bugquest

That's all 31 days of BugQuest! Whether you followed along in real-time or discovered this collection later, you now have a complete reference for finding and exploiting broken access control vulnerabilities. Ready to put these skills to work? Browse through Intigriti's public bug bounty programs and start hunting!