A5 - Broken Access Control

Most web apps verify function level access before making that functionality visible in the UI. However, apps need to perform the same checks on the server when each function is accessed. Otherwise, attackers will be able to forge requests to access functionality without proper authorization.