API5:2023 Broken Function Level Authorization - OWASP API Security Top 10
Learn about the severe security weakness in APIs where attackers can exploit improper authorization checks, leading to data disclosure, loss, or corruption.
Overview
API5:2023 Broken Function Level Authorization is one of the top 10 API security risks identified by OWASP. This vulnerability occurs when the authorization checks for a function or resource are not properly implemented, allowing attackers to access unauthorized functionality. Exploiting this vulnerability can lead to data disclosure, data loss, or data corruption, ultimately resulting in service disruption.
Description
API5:2023 Broken Function Level Authorization is a severe security weakness that is commonly found in APIs. It occurs when the attacker sends legitimate API calls to an API endpoint that they should not have access to as anonymous users or regular, non-privileged users. The authorization checks for a function or resource are usually managed via configuration or code level, making it easier for attackers to discover and exploit these flaws. This vulnerability is prevalent and easy to detect, with severe technical and business-specific impacts.
How to Prevent ?
To prevent API5:2023 Broken Function Level Authorization, it is important to have a consistent and easy-to-analyze authorization module that is invoked from all your business functions. Here are some preventive measures: 1. Implement an enforcement mechanism that denies all access by default, requiring explicit grants to specific roles for access to every function. 2. Review your API endpoints against function level authorization flaws, considering the business logic of the application and groups hierarchy. 3. Ensure that all administrative controllers inherit from an administrative abstract controller that implements authorization checks based on the user's group/role. 4. Make sure that administrative functions inside a regular controller implement authorization checks based on the user's group and role.
Example Attack Scenarios:
Scenario #1: During the registration process of an application, an attacker manipulates the API call to create themselves an admin account and gain full access to the system.
Scenario #2: An attacker accesses an API endpoint that should be exposed only to administrators, exposing sensitive details of the users of the application.