API5:2019 Broken Function Level Authorization
Learn about the security vulnerability API5:2019 Broken Function Level Authorization, which allows unauthorized access to sensitive functions in an API. Explore prevention measures and attack scenarios.
Overview
This article discusses the security vulnerability API5:2019 Broken Function Level Authorization, which is one of the top 10 API security risks identified by OWASP. The vulnerability allows attackers to access unauthorized functionality by exploiting flaws in the authorization mechanism of an API. The article provides an overview of the threat agents, attack vectors, and impacts associated with this vulnerability.
Description
API5:2019 Broken Function Level Authorization is a serious security vulnerability that can lead to unauthorized access to sensitive functions or resources in an API. Attackers can exploit this vulnerability by sending legitimate API calls to endpoints that they should not have access to. This can be done by replacing or modifying the HTTP method or URL parameters. The article explores how authorization checks are usually managed and the challenges involved in implementing proper checks. It also provides example attack scenarios to demonstrate how this vulnerability can be exploited.
How to Prevent ?
To prevent API5:2019 Broken Function Level Authorization, it is important to perform a deep analysis of the authorization mechanism and consider the user hierarchy, roles, and groups in the application. Some key preventive measures include: 1. Implementing a consistent and easy-to-analyze authorization module that is invoked from all business functions. 2. Reviewing API endpoints for function level authorization flaws, considering the business logic of the application and user groups. 3. Ensuring that administrative controllers inherit from an abstract controller that implements authorization checks. 4. Implementing authorization checks based on user groups and roles in both administrative and regular controllers.
Example Attack Scenarios:
Scenario #1: In this scenario, an attacker exploits a broken function level authorization vulnerability during the registration process of an application. By manipulating the HTTP method and endpoint, the attacker gains access to an API endpoint that should only be accessible to administrators. This allows the attacker to send themselves an invite to create an admin account.
Scenario #2: In this scenario, an API endpoint that should only be accessible to administrators is exposed to unauthorized users due to a lack of function-level authorization checks. An attacker, who has learned the API structure, manages to access this endpoint and obtains sensitive details of all the users of the application.