The API relies on the client to use user-level or admin-level/privileged APIs as appropriate. Attackers figure out the “hidden” admin API methods and invoke them directly.
- Some administrative functions are exposed as APIs.
- Sensitive operations should only be available internally (for example deleting a resource)
- Non-privileged users can access these functions without authorization if they know how.
- Can be a matter of knowing the URL, or using a different verb or a parameter:
How to prevent
- Do not rely on the client to enforce admin access.
deny allaccess by default.
- Only allow operations to users belonging to the appropriate group or role.
- Implement properly designed and tested authorization.