API5:2019 — Broken function level authorization

The API relies on the client to use user level or admin level APIs as appropriate. Attackers figure out the “hidden” admin API methods and invoke them directly.

No authorization for admin methods can allow anyone to use them.

Use case

  • Some administrative functions are exposed as APIs.
  • Non-privileged users can access these functions without authorization if they know how.
  • Can be a matter of knowing the URL, or using a different verb or a parameter:
    • /api/users/v1/user/myinfo
    • /api/admins/v1/users/all

How to prevent

  • Do not rely on the client to enforce admin access.
  • Deny all access by default.
  • Only allow operations to users belonging to the appropriate group or role.
  • Properly design and test authorization.