OWASP API Security Top 10 API5:2019 Broken Function Level Authorization with Example

bySahil Gupta -


In the previous blog, we learned about the OWASP API Security Top 10 API4:2019 Lack of Resources & Rate Limiting with Example. In this blog, we will learn about the OWASP API Security Top 10 API5:2019 Broken Function Level Authorization, its impact, an example, and remediation.


What is Broken Function Level Authorization?


When an attacker is able to send a legitimate API request to an endpoint in order to access data or perform tasks that they should not have access to, then it is a form of broken function-level authorization. This type of attack can allow unauthorized users to gain access to sensitive information or perform actions.


Impact 


The attacker is able to perform any unauthorized task or access any sensitive data or functionality. This allows them to wreak havoc on an organization and access sensitive information they should not have access to. 

Administrative functionality is the key target for any attacker, as this gives them the most control over the system. By gaining access to this functionality, they can cause severe damage to the organization.


How to check if the API endpoint is vulnerable to Broken Function Level Authorization?

  • Perform a deep analysis of the authorization mechanism to understand the user roles, and permissions
  • Check if you are able to access administrative API endpoints
  • Check you are able to perform sensitive tasks like the creation, modification, or deletion of data by changing the request methods from GET to DELETE or GET to POST
  • Check can a user of Role A is able to access the functionality that is only exposed to Role B is Users 


Example of Broken Function Level Authorization


I have one POST method-based API endpoint that takes user credentials as input and returns an authentication token that will be used to call other API endpoints that require authentication.




But when we change the request method from POST to GET and send the request, the application will send a response containing USER_ID, username, and Password. 





Remediation

  • Enforce authorization that should deny access to all functionally by default 
  • Review API endpoints against Broken Function Level Authorization
  • Make sure users with admin role/group only access administrative functionality 
  • Make sure the application will conduct an authorization check based on user role/group before allowing users to access any functionally

Tags:

Sahil Gupta

Application Security | DevSecOps | Secure SDLC | Penetration Tester (Web and API) | CEHv10 | IBM Certified Cybersecurity Analyst Professional

Previous Post Next Post
Share to other apps
Copy Post link

Contact Form