>myctrl.tools
Preferences
Under active development Content is continuously updated and improved

API5Broken Function Level Authorization

>Control Description

Authorization flaws tend to be different from authentication flaws. Best way to find broken function level authorization issues is to perform deep analysis of the authorization mechanism while keeping in mind the user hierarchy, different roles or groups in the application, and asking questions such as: Can a regular user access administrative endpoints? Can a user perform sensitive actions that they should not have access to simply by changing the HTTP method? Can a user from group X access a function that should be exposed only to users from group Y by simply guessing the endpoint URL and parameters? Don't assume that an API endpoint is regular or administrative only based on the URL path.

>Prevention & Mitigation Strategies

  1. 1.The enforcement mechanism(s) should deny all access by default, requiring explicit grants to specific roles for access to every function.
  2. 2.Review your API endpoints against function level authorization flaws, while keeping in mind the business logic of the application and groups hierarchy.
  3. 3.Make sure that all of your administrative controllers inherit from an administrative abstract controller that implements authorization checks based on the user's group/role.
  4. 4.Make sure that administrative functions inside a regular controller implement authorization checks based on the user's group and role.

>Attack Scenarios

#1Admin invite endpoint exploitation

During the registration process for an application that only allows invited users to join, the mobile application triggers an API call to GET /api/invites/{invite_guid}. The attacker discovers this endpoint and manipulates it to POST /api/invites/new, which is an administrative endpoint that should not be accessible to regular users. Because the endpoint doesn't implement function level authorization checks, the attacker creates an invite and grants themselves admin privileges.

#2Unprotected admin user listing

An attacker identifies an administrative API endpoint GET /api/admin/v1/users/all by guessing common URL patterns. Because the endpoint does not implement function level authorization checks, the attacker gains access to sensitive details of all users in the system.

>Related CWEs

CWE-285

>References

Ask AI

Configure your API key to use AI features.