🔒 OWASP API Security Training

A5: Broken Function Level Authorization

📋 Overview

Broken Function Level Authorization is a critical vulnerability in the OWASP API Security Top 10. This vulnerability occurs when an API fails to properly enforce authorization checks on sensitive administrative functions, allowing unauthorized users to access privileged operations.

⚠️ Key Concept

The Human Predictability Factor: Humans are predictable in their naming conventions and organizational patterns. Attackers exploit this predictability to discover hidden or administrative endpoints that should not be publicly accessible.

🎯 Understanding the Vulnerability

This vulnerability is essentially Broken Access Control in API flavor. The key issue is that endpoints that should require administrative privileges are accessible to regular users or are easily discoverable through predictable patterns.

Attack Flow Diagram

1. Discovery
Identify API endpoints
2. Pattern Analysis
Guess hidden endpoints
3. Exploitation
Access admin functions
4. Privilege Abuse
Execute unauthorized actions

🔍 Practical Example Walkthrough

Scenario: Discovering Hidden Admin Endpoints

Starting Point: The API documentation reveals a public books endpoint, but also hints at the existence of administrative functions.

Step 1: Access the documented public endpoint
GET /books

This endpoint is publicly accessible and returns a list of all books.

Step 2: Identify that an admin endpoint exists in the documentation
GET /admin (mentioned but not fully documented)

The documentation hints at administrative functions but doesn't provide complete details.

Step 3: Attempt common admin endpoint patterns
curl -X GET https://api.example.com/resources/admin
curl -X GET https://api.example.com/v2/admin

These are common patterns attackers try, but they may not always work.

Step 4: Discover the actual vulnerable endpoint (API v3)
curl -X GET https://api.example.com/v3/admin

Result: Returns a "Bad Request" error instead of "403 Unauthorized"

Step 5: Analyze the response

Critical Finding: The endpoint returns "400 Bad Request" instead of "403 Forbidden". This indicates the endpoint exists and is accessible, but requires different parameters or request method.

Step 6: Try different HTTP methods
curl -X POST https://api.example.com/v3/admin -H "Content-Type: application/json" -d '{}'

Switching from GET to POST request, as the error suggests incorrect request type.

Step 7: Perform parameter discovery
curl -X POST https://api.example.com/v3/admin -H "Content-Type: application/json" -d '{"action": "list"}'
curl -X POST https://api.example.com/v3/admin -H "Content-Type: application/json" -d '{"command": "users"}'
curl -X POST https://api.example.com/v3/admin -H "Content-Type: application/json" -d '{"operation": "getAll"}'

Attempt various parameter combinations to discover valid admin operations.

🛠️ Common Attack Vectors

Version Guessing

Trying different API versions:

/v1/admin
/v2/admin
/v3/admin

Path Variations

Testing different path structures:

/admin
/resources/admin
/api/admin

HTTP Method Testing

Trying various HTTP methods:

GET /admin
POST /admin
PUT /admin

Parameter Brute-forcing

Discovering valid parameters:

{"action": "..."}
{"operation": "..."}
{"command": "..."}

🎓 Advanced Testing Commands

Basic Endpoint Discovery

curl -X GET https://api.example.com/v3/admin -v

Use verbose mode to see detailed response headers and status codes.

Testing with Different HTTP Methods

curl -X POST https://api.example.com/v3/admin -H "Content-Type: application/json"
curl -X PUT https://api.example.com/v3/admin -H "Content-Type: application/json"
curl -X DELETE https://api.example.com/v3/admin

Parameter Fuzzing

curl -X POST https://api.example.com/v3/admin -H "Content-Type: application/json" -d '{"action":"list","type":"users"}'
curl -X POST https://api.example.com/v3/admin -H "Content-Type: application/json" -d '{"operation":"create","resource":"admin"}'
curl -X POST https://api.example.com/v3/admin -H "Content-Type: application/json" -d '{"cmd":"exec","target":"system"}'

Authentication Bypass Testing

curl -X POST https://api.example.com/v3/admin -H "Authorization: Bearer fake_token" -H "Content-Type: application/json"
curl -X POST https://api.example.com/v3/admin -H "X-Admin: true" -H "Content-Type: application/json"

Using Automated Tools

ffuf -u https://api.example.com/FUZZ/admin -w wordlist.txt -mc 200,400,401,403
wfuzz -c -z file,/path/to/wordlist.txt https://api.example.com/FUZZ/admin

🔐 Security Best Practices

For API Developers

  • Implement Proper Authorization: Always verify user permissions before granting access to sensitive functions
  • Return Consistent Error Messages: Use "403 Forbidden" for unauthorized access, not "400 Bad Request"
  • Avoid Predictable Patterns: Don't use obvious naming conventions like /admin, /v3/admin
  • Use Role-Based Access Control (RBAC): Implement granular permission systems
  • Log Access Attempts: Monitor and alert on suspicious access patterns

Red Flags to Watch For

  • Endpoints returning "400 Bad Request" instead of "403 Forbidden" for unauthorized access
  • Predictable admin endpoint patterns (/admin, /v2/admin, etc.)
  • Lack of authentication checks on sensitive operations
  • Inconsistent authorization across different API versions
  • Administrative functions accessible via simple parameter changes

📊 Vulnerability Impact Assessment

Severity Breakdown

🔴 High Risk

Unauthorized Admin Access

Full system compromise possible

🟠 Medium Risk

Data Exposure

Sensitive information leakage

🟡 Low Risk

Information Disclosure

API structure revelation

💡 Key Takeaways

  • Broken Function Level Authorization is essentially broken access control in API implementations
  • Human predictability in naming conventions makes admin endpoints discoverable
  • A "400 Bad Request" response instead of "403 Forbidden" indicates improper authorization handling
  • Attackers exploit version numbering and predictable paths to discover hidden endpoints
  • Proper authorization checks must be implemented at every sensitive endpoint
  • Testing requires systematic enumeration of endpoints, HTTP methods, and parameters

🔗 Related OWASP API Security Risks

This vulnerability (A5) is closely related to:

  • A1: Broken Object Level Authorization - Similar concept but at the object level
  • A3: Excessive Data Exposure - Can result from poor authorization
  • A7: Security Misconfiguration - Often the root cause of authorization issues