API5:2023 Broken Function Level Authorization

<!doctype html> <html lang="en" class="no-js"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width,initial-scale=1"> <meta name="description" content="The Ten Most Critical API Security Risks"> <meta name="author" content="OWASP API Security Project team"> <link rel="canonical" href="https://owasp.org/API-Security/editions/2023/en/0xa5-broken-function-level-authorization/"> <link rel="prev" href="../0xa4-unrestricted-resource-consumption/"> <link rel="next" href="../0xa6-unrestricted-access-to-sensitive-business-flows/"> <link rel="icon" href="../../../../assets/images/favicon.png"> <meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.0.9"> <title>API5:2023 Broken Function Level Authorization - OWASP API Security Top 10</title> <link rel="stylesheet" href="../../../../assets/stylesheets/main.0d440cfe.min.css"> <link rel="stylesheet" href="../../../../assets/stylesheets/palette.2505c338.min.css"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback"> <style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style> <link rel="stylesheet" href="../../../../assets/stylesheets/extra.css"> <script>__md_scope=new URL("../../../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script> </head> <body dir="ltr" data-md-color-scheme="default" data-md-color-primary="" data-md-color-accent=""> <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off"> <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off"> <label class="md-overlay" for="__drawer"></label> <div data-md-component="skip"> <a href="#api52023-broken-function-level-authorization" class="md-skip"> Skip to content </a> </div> <div data-md-component="announce"> </div> <header class="md-header" data-md-component="header"> <nav class="md-header__inner md-grid" aria-label=""> <a href="../../../.." title="OWASP API Security Top 10" class="md-header__button md-logo" aria-label="OWASP API Security Top 10" data-md-component="logo"> <img src="../../../../assets/images/icon.png" alt="logo"> </a> <label class="md-header__button md-icon" for="__drawer"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg> </label> <div class="md-header__title" data-md-component="header-title"> <div class="md-header__ellipsis"> <div class="md-header__topic"> <span class="md-ellipsis"> OWASP API Security Top 10 </span> </div> <div class="md-header__topic" data-md-component="header-topic"> <span class="md-ellipsis"> API5:2023 Broken Function Level Authorization </span> </div> </div> </div> <div style="margin-left: 10px; margin-right: 10px;"> <div class="md-header__option"> <div class="md-select"> <button class="md-header__button md-icon" aria-label="??"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="m12.87 15.07-2.54-2.51.03-.03A17.52 17.52 0 0 0 14.07 6H17V4h-7V2H8v2H1v2h11.17C11.5 7.92 10.44 9.75 9 11.35 8.07 10.32 7.3 9.19 6.69 8h-2c.73 1.63 1.73 3.17 2.98 4.56l-5.09 5.02L4 19l5-5 3.11 3.11.76-2.04M18.5 10h-2L12 22h2l1.12-3h4.75L21 22h2l-4.5-12m-2.62 7 1.62-4.33L19.12 17h-3.24Z"/></svg> </button> <div class="md-select__inner"> <ul class="md-select__list"> <li class="md-select__item"> <a href="https://owasp.org/API-Security/editions/2023/id/0xa5-broken-function-level-authorization/" hreflang="id" class="md-select__link"> Bahasa (Indonesian) </a> </li> <li class="md-select__item"> <a href="https://owasp.org/API-Security/editions/2023/en/0xa5-broken-function-level-authorization/" hreflang="en" class="md-select__link"> English </a> </li> <li class="md-select__item"> <a href="https://owasp.org/API-Security/editions/2023/fr/0xa5-broken-function-level-authorization/" hreflang="fr" class="md-select__link"> Français </a> </li> <li class="md-select__item"> <a href="https://owasp.org/API-Security/editions/2023/fa/0xa5-broken-function-level-authorization/" hreflang="fa" class="md-select__link"> Persian </a> </li> </ul> </div> </div> </div> </div> <label class="md-header__button md-icon" for="__search"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> </label> <div class="md-search" data-md-component="search" role="dialog"> <label class="md-search__overlay" for="__search"></label> <div class="md-search__inner" role="search"> <form class="md-search__form" name="search"> <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required> <label class="md-search__icon md-icon" for="__search"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </label> <nav class="md-search__options" aria-label="Search"> <button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg> </button> </nav> <div class="md-search__suggest" data-md-component="search-suggest"></div> </form> <div class="md-search__output"> <div class="md-search__scrollwrap" data-md-scrollfix> <div class="md-search-result" data-md-component="search-result"> <div class="md-search-result__meta"> Initializing search </div> <ol class="md-search-result__list" role="presentation"></ol> </div> </div> </div> </div> </div> <div class="md-header__source"> <a href="https://github.com/OWASP/API-Security" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class="md-source__repository"> OWASP/API-Security </div> </a> </div> </nav> </header> <div class="md-container" data-md-component="container"> <nav class="md-tabs" aria-label="Tabs" data-md-component="tabs"> <div class="md-tabs__inner md-grid"> <ul class="md-tabs__list"> <li class="md-tabs__item"> <a href="../../../.." class="md-tabs__link"> Home </a> </li> <li class="md-tabs__item"> <a href="../0x00-header/" class="md-tabs__link md-tabs__link--active"> 2023 </a> </li> <li class="md-tabs__item"> <a href="../../../2019/en/0x00-header/" class="md-tabs__link"> 2019 </a> </li> </ul> </div> </nav> <main class="md-main" data-md-component="main"> <div class="md-main__inner md-grid"> <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0"> <label class="md-nav__title" for="__drawer"> <a href="../../../.." title="OWASP API Security Top 10" class="md-nav__button md-logo" aria-label="OWASP API Security Top 10" data-md-component="logo"> <img src="../../../../assets/images/icon.png" alt="logo"> </a> OWASP API Security Top 10 </label> <div class="md-nav__source"> <a href="https://github.com/OWASP/API-Security" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class="md-source__repository"> OWASP/API-Security </div> </a> </div> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_1" type="checkbox" id="__nav_1" > <div class="md-nav__link md-nav__link--index "> <a href="../../../..">Home</a> <label for="__nav_1"> <span class="md-nav__icon md-icon"></span> </label> </div> <nav class="md-nav" aria-label="Home" data-md-level="1"> <label class="md-nav__title" for="__nav_1"> <span class="md-nav__icon md-icon"></span> Home </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../../CONTRIBUTING/" class="md-nav__link"> How-to Contribute </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--active md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" checked> <label class="md-nav__link" for="__nav_2"> 2023 <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="2023" data-md-level="1"> <label class="md-nav__title" for="__nav_2"> <span class="md-nav__icon md-icon"></span> 2023 </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../0x00-header/" class="md-nav__link"> </a> </li> <li class="md-nav__item"> <a href="../0x00-notice/" class="md-nav__link"> Notice </a> </li> <li class="md-nav__item"> <a href="../0x00-toc/" class="md-nav__link"> Table of Contents </a> </li> <li class="md-nav__item"> <a href="../0x01-about-owasp/" class="md-nav__link"> About OWASP </a> </li> <li class="md-nav__item"> <a href="../0x02-foreword/" class="md-nav__link"> Foreword </a> </li> <li class="md-nav__item"> <a href="../0x03-introduction/" class="md-nav__link"> Introduction </a> </li> <li class="md-nav__item"> <a href="../0x04-release-notes/" class="md-nav__link"> Release Notes </a> </li> <li class="md-nav__item"> <a href="../0x10-api-security-risks/" class="md-nav__link"> API Security Risks </a> </li> <li class="md-nav__item"> <a href="../0x11-t10/" class="md-nav__link"> OWASP Top 10 API Security Risks – 2023 </a> </li> <li class="md-nav__item"> <a href="../0xa1-broken-object-level-authorization/" class="md-nav__link"> API1:2023 Broken Object Level Authorization </a> </li> <li class="md-nav__item"> <a href="../0xa2-broken-authentication/" class="md-nav__link"> API2:2023 Broken Authentication </a> </li> <li class="md-nav__item"> <a href="../0xa3-broken-object-property-level-authorization/" class="md-nav__link"> API3:2023 Broken Object Property Level Authorization </a> </li> <li class="md-nav__item"> <a href="../0xa4-unrestricted-resource-consumption/" class="md-nav__link"> API4:2023 Unrestricted Resource Consumption </a> </li> <li class="md-nav__item md-nav__item--active"> <input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc"> <label class="md-nav__link md-nav__link--active" for="__toc"> API5:2023 Broken Function Level Authorization <span class="md-nav__icon md-icon"></span> </label> <a href="./" class="md-nav__link md-nav__link--active"> API5:2023 Broken Function Level Authorization </a> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#is-the-api-vulnerable" class="md-nav__link"> Is the API Vulnerable? </a> </li> <li class="md-nav__item"> <a href="#example-attack-scenarios" class="md-nav__link"> Example Attack Scenarios </a> <nav class="md-nav" aria-label="Example Attack Scenarios"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#scenario-1" class="md-nav__link"> Scenario #1 </a> </li> <li class="md-nav__item"> <a href="#scenario-2" class="md-nav__link"> Scenario #2 </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#how-to-prevent" class="md-nav__link"> How To Prevent </a> </li> <li class="md-nav__item"> <a href="#references" class="md-nav__link"> References </a> <nav class="md-nav" aria-label="References"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#owasp" class="md-nav__link"> OWASP </a> </li> <li class="md-nav__item"> <a href="#external" class="md-nav__link"> External </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../0xa6-unrestricted-access-to-sensitive-business-flows/" class="md-nav__link"> API6:2023 Unrestricted Access to Sensitive Business Flows </a> </li> <li class="md-nav__item"> <a href="../0xa7-server-side-request-forgery/" class="md-nav__link"> API7:2023 Server Side Request Forgery </a> </li> <li class="md-nav__item"> <a href="../0xa8-security-misconfiguration/" class="md-nav__link"> API8:2023 Security Misconfiguration </a> </li> <li class="md-nav__item"> <a href="../0xa9-improper-inventory-management/" class="md-nav__link"> API9:2023 Improper Inventory Management </a> </li> <li class="md-nav__item"> <a href="../0xaa-unsafe-consumption-of-apis/" class="md-nav__link"> API10:2023 Unsafe Consumption of APIs </a> </li> <li class="md-nav__item"> <a href="../0xb0-next-devs/" class="md-nav__link"> What's Next For Developers </a> </li> <li class="md-nav__item"> <a href="../0xb1-next-devsecops/" class="md-nav__link"> What's Next For DevSecOps </a> </li> <li class="md-nav__item"> <a href="../0xd0-about-data/" class="md-nav__link"> Methodology and Data </a> </li> <li class="md-nav__item"> <a href="../0xd1-acknowledgments/" class="md-nav__link"> Acknowledgments </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3" type="checkbox" id="__nav_3" > <label class="md-nav__link" for="__nav_3"> 2019 <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="2019" data-md-level="1"> <label class="md-nav__title" for="__nav_3"> <span class="md-nav__icon md-icon"></span> 2019 </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../2019/en/0x00-header/" class="md-nav__link"> </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0x00-notice/" class="md-nav__link"> Notice </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0x00-toc/" class="md-nav__link"> Table of Contents </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0x01-about-owasp/" class="md-nav__link"> About OWASP </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0x02-foreword/" class="md-nav__link"> Foreword </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0x03-introduction/" class="md-nav__link"> Introduction </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0x04-release-notes/" class="md-nav__link"> Release Notes </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0x10-api-security-risks/" class="md-nav__link"> API Security Risks </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0x11-t10/" class="md-nav__link"> OWASP Top 10 API Security Risks – 2019 </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0xa1-broken-object-level-authorization/" class="md-nav__link"> API1:2019 Broken Object Level Authorization </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0xa2-broken-user-authentication/" class="md-nav__link"> API2:2019 Broken User Authentication </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0xa3-excessive-data-exposure/" class="md-nav__link"> API3:2019 Excessive Data Exposure </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0xa4-lack-of-resources-and-rate-limiting/" class="md-nav__link"> API4:2019 Lack of Resources & Rate Limiting </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0xa5-broken-function-level-authorization/" class="md-nav__link"> API5:2019 Broken Function Level Authorization </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0xa6-mass-assignment/" class="md-nav__link"> API6:2019 - Mass Assignment </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0xa7-security-misconfiguration/" class="md-nav__link"> API7:2019 Security Misconfiguration </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0xa8-injection/" class="md-nav__link"> API8:2019 Injection </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0xa9-improper-assets-management/" class="md-nav__link"> API9:2019 Improper Assets Management </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0xaa-insufficient-logging-monitoring/" class="md-nav__link"> API10:2019 Insufficient Logging & Monitoring </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0xb0-next-devs/" class="md-nav__link"> What's Next For Developers </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0xb1-next-devsecops/" class="md-nav__link"> What's Next For DevSecOps </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0xd0-about-data/" class="md-nav__link"> Methodology and Data </a> </li> <li class="md-nav__item"> <a href="../../../2019/en/0xd1-acknowledgments/" class="md-nav__link"> Acknowledgments </a> </li> </ul> </nav> </li> </ul> </nav> </div> </div> </div> <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#is-the-api-vulnerable" class="md-nav__link"> Is the API Vulnerable? </a> </li> <li class="md-nav__item"> <a href="#example-attack-scenarios" class="md-nav__link"> Example Attack Scenarios </a> <nav class="md-nav" aria-label="Example Attack Scenarios"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#scenario-1" class="md-nav__link"> Scenario #1 </a> </li> <li class="md-nav__item"> <a href="#scenario-2" class="md-nav__link"> Scenario #2 </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#how-to-prevent" class="md-nav__link"> How To Prevent </a> </li> <li class="md-nav__item"> <a href="#references" class="md-nav__link"> References </a> <nav class="md-nav" aria-label="References"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#owasp" class="md-nav__link"> OWASP </a> </li> <li class="md-nav__item"> <a href="#external" class="md-nav__link"> External </a> </li> </ul> </nav> </li> </ul> </nav> </div> </div> </div> <div class="md-content" data-md-component="content"> <article class="md-content__inner md-typeset"> <h1 id="api52023-broken-function-level-authorization">API5:2023 Broken Function Level Authorization</h1> <table> <thead> <tr> <th>Threat agents/Attack vectors</th> <th>Security Weakness</th> <th>Impacts</th> </tr> </thead> <tbody> <tr> <td>API Specific : Exploitability <strong>Easy</strong></td> <td>Prevalence <strong>Common</strong> : Detectability <strong>Easy</strong></td> <td>Technical <strong>Severe</strong> : Business Specific</td> </tr> <tr> <td>Exploitation requires the attacker to send legitimate API calls to an API endpoint that they should not have access to as anonymous users or regular, non-privileged users. Exposed endpoints will be easily exploited.</td> <td>Authorization checks for a function or resource are usually managed via configuration or code level. Implementing proper checks can be a confusing task since modern applications can contain many types of roles, groups, and complex user hierarchies (e.g. sub-users, or users with more than one role). It's easier to discover these flaws in APIs since APIs are more structured, and accessing different functions is more predictable.</td> <td>Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack and may lead to data disclosure, data loss, or data corruption. Ultimately, it may lead to service disruption.</td> </tr> </tbody> </table> <h2 id="is-the-api-vulnerable">Is the API Vulnerable?</h2> <p>The best way to find broken function level authorization issues is to perform a deep analysis of the authorization mechanism while keeping in mind the user hierarchy, different roles or groups in the application, and asking the following questions:</p> <ul> <li>Can a regular user access administrative endpoints?</li> <li>Can a user perform sensitive actions (e.g. creation, modification, or deletion ) that they should not have access to by simply changing the HTTP method (e.g. from <code>GET</code> to <code>DELETE</code>)?</li> <li>Can a user from group X access a function that should be exposed only to users from group Y, by simply guessing the endpoint URL and parameters (e.g. <code>/api/v1/users/export_all</code>)?</li> </ul> <p>Don't assume that an API endpoint is regular or administrative only based on the URL path.</p> <p>While developers might choose to expose most of the administrative endpoints under a specific relative path, like <code>/api/admins</code>, it's very common to find these administrative endpoints under other relative paths together with regular endpoints, like <code>/api/users</code>.</p> <h2 id="example-attack-scenarios">Example Attack Scenarios</h2> <h3 id="scenario-1">Scenario #1</h3> <p>During the registration process for an application that allows only invited users to join, the mobile application triggers an API call to <code>GET /api/invites/{invite_guid}</code>. The response contains a JSON with details about the invite, including the user's role and the user's email.</p> <p>An attacker duplicates the request and manipulates the HTTP method and endpoint to <code>POST /api/invites/new</code>. This endpoint should only be accessed by administrators using the admin console. The endpoint does not implement function level authorization checks.</p> <p>The attacker exploits the issue and sends a new invite with admin privileges:</p> <pre><code>POST /api/invites/new { "email": "<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="2041545441434b455260534f4d45484f53540e434f4d">[email protected]</a>", "role":"admin" } </code></pre> <p>Later on, the attacker uses the maliciously crafted invite in order to create themselves an admin account and gain full access to the system.</p> <h3 id="scenario-2">Scenario #2</h3> <p>An API contains an endpoint that should be exposed only to administrators - <code>GET /api/admin/v1/users/all</code>. This endpoint returns the details of all the users of the application and does not implement function level authorization checks. An attacker who learned the API structure takes an educated guess and manages to access this endpoint, which exposes sensitive details of the users of the application.</p> <h2 id="how-to-prevent">How To Prevent</h2> <p>Your application should have a consistent and easy-to-analyze authorization module that is invoked from all your business functions. Frequently, such protection is provided by one or more components external to the application code.</p> <ul> <li>The enforcement mechanism(s) should deny all access by default, requiring explicit grants to specific roles for access to every function.</li> <li>Review your API endpoints against function level authorization flaws, while keeping in mind the business logic of the application and groups hierarchy.</li> <li>Make sure that all of your administrative controllers inherit from an administrative abstract controller that implements authorization checks based on the user's group/role.</li> <li>Make sure that administrative functions inside a regular controller implement authorization checks based on the user's group and role.</li> </ul> <h2 id="references">References</h2> <h3 id="owasp">OWASP</h3> <ul> <li><a href="https://owasp.org/www-community/attacks/Forced_browsing">Forced Browsing</a></li> <li>"A7: Missing Function Level Access Control", <a href="https://github.com/OWASP/Top10/raw/master/2013/OWASP%20Top%2010%20-%202013.pdf">OWASP Top 10 2013</a></li> <li><a href="https://owasp.org/www-community/Access_Control">Access Control</a></li> </ul> <h3 id="external">External</h3> <ul> <li><a href="https://cwe.mitre.org/data/definitions/285.html">CWE-285: Improper Authorization</a></li> </ul> </article> </div> </div> </main> <footer class="md-footer"> <nav class="md-footer__inner md-grid" aria-label="Footer" > <a href="../0xa4-unrestricted-resource-consumption/" class="md-footer__link md-footer__link--prev" aria-label="Previous: API4:2023 Unrestricted Resource Consumption" rel="prev"> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </div> <div class="md-footer__title"> <div class="md-ellipsis"> <span class="md-footer__direction"> Previous </span> API4:2023 Unrestricted Resource Consumption </div> </div> </a> <a href="../0xa6-unrestricted-access-to-sensitive-business-flows/" class="md-footer__link md-footer__link--next" aria-label="Next: API6:2023 Unrestricted Access to Sensitive Business Flows" rel="next"> <div class="md-footer__title"> <div class="md-ellipsis"> <span class="md-footer__direction"> Next </span> API6:2023 Unrestricted Access to Sensitive Business Flows </div> </div> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4Z"/></svg> </div> </a> </nav> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class="md-copyright"> <div class="md-copyright__highlight"> © Copyright 2023 - OWASP API Security Project team </div> Made with <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener"> Material for MkDocs </a> </div> </div> </div> </footer> </div> <div class="md-dialog" data-md-component="dialog"> <div class="md-dialog__inner md-typeset"></div> </div> <script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script><script id="__config" type="application/json">{"base": "../../../..", "features": ["navigation.tabs", "navigation.indexes", "navigation.footer", "search.suggest"], "search": "../../../../assets/javascripts/workers/search.db81ec45.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script> <script src="../../../../assets/javascripts/bundle.a00a7c5e.min.js"></script> </body> </html>

CINXE.COM

API5:2023 Broken Function Level Authorization - OWASP API Security Top 10