In this guide we examine Broken Access Control, identified by OWASP as the number one security risk in 2021, due to its widespread occurrence and severe impact. It details how applications fail to adequately restrict user actions or access, enabling attackers to view private data or perform unauthorised tasks. It explains various types of access control (such as Role-Based Access Control) and common vulnerabilities, including Insecure Direct Object References (IDOR) and missing function-level access control. Furthermore, it outlines attack scenarios, illustrates prevention techniques through secure coding practices and architectural best practices, and highlights the real-world implications with a case study of the 2019 Facebook API breach. The guide concludes by emphasising the importance of robust testing methodologies and ongoing vigilance in mitigating this pervasive security threat across modern, complex systems like microservices and cloud environments.