The Open Web Applications Security Project releases their top 10 vulnerabilities every 3 or 4 years. It contains the most common types of problems developments have inadvertently delivered in their web applications.
The next reiteration which is currently in draft contains Broken Access Control (BAC) as the number 1 issue web applications are susceptible to.
After analysing over 500,000 application data logs provided by OWASP supporters and friends of the project, the top 10 was decided using this data for 8 of the top 10 and 2 were from a survey proved to the industry.
What is Broken Access Control?
Broken Access Control is the method of modifying something that the app accepts by either impersonating someone or something someone else had.
For example, a user of the application may be the holder of a cookie or JWT (JSON Web Token) and the malicious actor gets hold of it, changes it to make a request and the application unwittingly fulfils it.