Broken Function Level Authorisation
CybersecurityAuthorizationIDORWeb SecurityVulnerabilities
Broken Function Level Authorization is a critical security vulnerability that occurs when applications verify who you are (authentication) but fail to check what you're allowed to do (authorization). This flaw enables attackers with low-level privileges to bypass authorization checks and execute administrative or sensitive operations, potentially compromising entire systems. It's particularly prevalent in modern web applications and REST APIs where function-level permission checks are overlooked or improperly implemented.
Key Points
- Privilege Escalation Risk: Low-privileged users can perform actions reserved for administrators or higher-privileged roles
- Missing Authorization Checks: Systems authenticate users but don't validate permissions before executing sensitive functions
- Common in APIs: Especially prevalent in REST APIs and modern web applications where backend authorization is weak
- Often Goes Undetected: Successful attacks may not trigger obvious errors, making exploitation difficult to identify
- Related to IDOR: Frequently manifests alongside Insecure Direct Object Reference (IDOR) vulnerabilities
How the Attack Works
Attack Process
Attackers exploit weak or missing authorization checks through a systematic approach:
- Reconnaissance - Discover administrative URLs, API endpoints, or hidden functions through directory enumeration, documentation review, or traffic analysis
- Request Manipulation - Modify HTTP requests, parameters, or object references to target restricted functions
- Bypass Client-Side Controls - Circumvent front-end restrictions that aren't enforced on the backend
- Execute Privileged Operations - Perform administrative tasks without proper authorization
Why It Happens
The vulnerability exists when applications:
- Check authentication status but skip authorization validation
- Rely on "security through obscurity" by hiding administrative functions instead of enforcing access controls
- Fail to validate user roles or permissions before executing sensitive operations
- Use predictable patterns for administrative endpoints (e.g.,
/admin/*,/api/admin/*) - Implement authorization checks only on the client side
Practical Example
Vulnerable E-Commerce Application
Consider an online store with these API endpoints:
| User Role | Endpoint | Intended Access |
|---|---|---|
| Customer | GET /api/user/orders | View own orders only |
| Admin | GET /api/admin/orders | View all customer orders |
| Admin | DELETE /api/admin/user/{id} | Delete user accounts |
The Vulnerability:
A regular customer discovers that accessing GET /api/admin/orders returns all customer orders with sensitive data including addresses, payment information, and purchase history. The application only verifies the user is logged in but doesn't check if they have admin privileges.
Attack Scenario
Normal Request:
GET /api/user/profile?id=12345
Authorization: Bearer <customer_token>
Malicious Request:
GET /api/admin/deleteUser?id=67890
Authorization: Bearer <customer_token>
Without proper function-level authorization, a regular customer could:
- View all customer data across the platform
- Delete other user accounts
- Modify system settings or pricing
- Access confidential business analytics
- Elevate their own account privileges
Prevention Best Practices
Implement Server-Side Authorization
Critical: Never rely on client-side controls alone. All authorization checks must be enforced on the server.
- Role-Based Access Control (RBAC): Implement comprehensive role and permission systems
- Validate Every Request: Check both authentication AND authorization for all sensitive functions
- Deny by Default: Require explicit permission grants rather than blocking specific actions
- Centralize Authorization Logic: Use a consistent authorization framework across your entire application
Secure Code Implementation
Vulnerable Code:
// Only checks if user is logged in
if (user.isAuthenticated()) {
executeAdminFunction();
}
Secure Code:
// Checks both authentication and authorization
if (user.isAuthenticated() && user.hasRole('ADMIN')) {
executeAdminFunction();
} else {
throw new UnauthorizedException('Insufficient privileges');
}
Framework-Level Protection:
# Using decorators for consistent enforcement
@require_role('ADMIN')
def delete_user(user_id):
# Function only executes if user has ADMIN role
User.delete(user_id)
API Security Measures
- Consistent Endpoint Design: Avoid predictable patterns that reveal administrative functions
- Principle of Least Privilege: Grant users only the minimum permissions necessary
- Separate Authorization Layer: Implement middleware or filters that validate permissions before routing requests
- Document Access Requirements: Clearly specify which roles can access each endpoint
Testing and Detection
Security Testing Approaches
- Manual Testing: Attempt to access administrative endpoints using low-privilege accounts
- Automated Scanning: Use tools like Burp Suite, OWASP ZAP, or Postman to test authorization across all endpoints
- Role-Based Testing: Test every endpoint with each user role to verify proper access control
- Negative Testing: Verify that unauthorized access attempts are properly denied and logged
Monitoring for Exploitation
Warning Signs:
- Users accessing endpoints outside their normal usage patterns
- Unusual spikes in administrative function calls from non-admin accounts
- Access attempts to hidden or undocumented API endpoints
- Successful requests to privileged functions from low-privilege accounts
- Multiple authorization failures followed by successful access
Implement Logging:
[ALERT] User ID 12345 (role: CUSTOMER) accessed /api/admin/orders
[ALERT] Privilege escalation attempt detected from IP 192.168.1.100
[ALERT] Unauthorized access to DELETE /api/admin/user/67890
Real-World Impact
Organizations affected by Broken Function Level Authorization have experienced:
- Data Breaches: Unauthorized access to customer records, financial data, and personal information
- Account Takeovers: Attackers elevating privileges to gain administrative control
- Financial Loss: Unauthorized transactions, pricing modifications, or fraudulent refunds
- Compliance Violations: GDPR, HIPAA, and PCI-DSS violations resulting in fines
- Reputation Damage: Loss of customer trust and brand credibility
Learn More
Industry Standards and References
- OWASP Top 10: Broken Access Control - Consistently ranked as a top web application security risk
- OWASP API Security Top 10: API5:2023 - Broken Function Level Authorization
- CWE-285: Improper Authorization - Common Weakness Enumeration reference
- NIST Guidelines: Access Control standards and implementation guidance
Additional Resources
- OWASP Testing Guide: Authorization Testing methodologies and checklists
- OWASP ASVS: Application Security Verification Standard for access control requirements
- API Security Best Practices: REST API security guidelines and authorization patterns