Broken Function Level Authorization

Broken Function Level Authorization occurs when APIs expose sensitive functions or administrative operations without enforcing proper role-based or permission-based access checks, allowing attackers to invoke actions beyond their privileges.

Remediation

Implement server-side role and permission validation for every API endpoint, especially administrative and sensitive functions.
Segregate administrative and user-level functions into separate endpoints and enforce strict authentication and authorization checks.
Avoid relying solely on client-side enforcement; ensure authorization logic is applied consistently on the server.

Metadata

Severity: high
Slug: broken-function-level-authorization

CWEs

284: Improper Access Control
285: Improper Authorization
266: Incorrect Privilege Assignment

OWASP

A01:2021: Broken Access Control
API3:2023: Broken Function Level Authorization

Available Labs

Open Openapi labs in SecDim Play for this vulnerability.

easy

BFLA.api

Other Easy OpenAPI New Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.