The API relies on the client to use user-level or admin-level APIs as appropriate. Attackers figure out the “hidden” admin API methods and invoke them directly.
Use case
- Some administrative functions are exposed as APIs.
- Non-privileged users can access these functions without authorization if they know how.
- Can be a matter of knowing the URL, or using a different verb or a parameter:
/api/users/v1/user/myinfo/api/admins/v1/users/all
How to prevent
- Do not rely on the client to enforce admin access.
- Deny all access by default.
- Only allow operations to users belonging to the appropriate group or role.
- Properly designed and tested authorization.
