API5:2019 — Broken function level authorization
The API relies on the client to use user level or admin level APIs as appropriate. Attackers figure out the “hidden” admin API methods and invoke them directly.
Use case
- Some administrative functions are exposed as APIs.
- Non-privileged users can access these functions without authorization if they know how.
- Can be a matter of knowing the URL, or using a different verb or a parameter:
/api/users/v1/user/myinfo
/api/admins/v1/users/all
How to prevent
- Do not rely on the client to enforce admin access.
- Deny all access by default.
- Only allow operations to users belonging to the appropriate group or role.
- Properly design and test authorization.
Copyright 42Crunch 2021