API 05:2023 — Broken function level authorization

The API relies on the client to use user-level or admin-level/privileged APIs as appropriate. Attackers figure out the “hidden” admin API methods and invoke them directly.

Use case

Some administrative functions are exposed as APIs.
Sensitive operations should only be available internally (for example deleting a resource)
Non-privileged users can access these functions without authorization if they know how.
Can be a matter of knowing the URL, or using a different verb or a parameter:
- /api/users/v1/user/myinfo
- /api/admins/v1/users/all

How to prevent

- Do not rely on the client to enforce admin access.
- Apply deny all access by default.

Only allow operations to users belonging to the appropriate group or role.
Implement properly designed and tested authorization.

OWASP API Security Top 10 2023 ist

Apisecurity.io is powered by:

Legal Info

Get in touch with us

Have any news to share? Ideas? Questions?

Contact Us

Copyright 2018-2024 42Crunch Ltd, All Rights Reserved.