API 05:2019 — Broken function level authorization


The API relies on the client to use user-level or admin-level APIs as appropriate. Attackers figure out the “hidden” admin API methods and invoke them directly.

No authorization for admin methods can allow anyone to use them.

Use case

  • Some administrative functions are exposed as APIs.
  • Non-privileged users can access these functions without authorization if they know how.
  • Can be a matter of knowing the URL, or using a different verb or a parameter:
    • /api/users/v1/user/myinfo
    • /api/admins/v1/users/all

How to prevent

  • Do not rely on the client to enforce admin access.
  • Deny all access by default.
  • Only allow operations to users belonging to the appropriate group or role.
  • Properly designed and tested authorization.

Full OWASP API Security Top 10 2023 list

Full OWASP API Security Top 10 2019 list