Application Programming Interfaces (APIs) are at the heart of modern applications, enabling functionality, communication and acting as a bridge between different software components.
A common issue that’s found though is Broken Function Level Authorization (BFLA), and this sits at the OWASP API Top 10 2023 Candidate list in position number 5. Let’s take a closer look at this vulnerability.
Understanding Broken Function Level Authorization (BFLA)
BFLA allows unauthorized users to access functionality in API endpoints that should be restricted. The payloads used during these attacks often look completely legitimate and pass-through controls such as Web Application Firewalls.
For example:
- An e-commerce site has a GET API endpoint to view customer order details /api/v1/orders/:orderId
- This endpoint allows customers to view their own orders, and uses the logged-in user’s ID to verify the access
- After further enumeration, it’s apparent that the DELETE method is available for the same endpoint. Changing the HTTP method from GET to DELETE allows an attacker to remove any order they want, provided they have the order ID, from the system.
In this case, the attacker has access to functionality that should be restricted, and this is a common oversight in many API-driven applications.
Testing for BFLA
There are a number of approaches we can use to test for BFLA issues. When working with a larger set of APIs it makes sense to build a collection and try to automate this process, however, there may also be times when you need to step through endpoints manually for deeper analysis.
- Understand the user roles and permissions
- What roles exist?
- What is a user supposed to do?
- What can a user actually do?
- What can admins do?
- Map API endpoints to functions
- What API endpoints exist?
- What functionality do they offer?
- Test both authenticated and unauthenticated requests
- Setup Authorize in BURP Suite
- Can you access the same functionality with different user roles?
- Manipulate or fuzz HTTP methods for each endpoint
- Check for authorization across a series of operations
- Is your access verified at step 1?
- Is your access verified at step 2, step 3, etc?
- Keep an eye out for odd behavior and error messages
Conclusion
APIs are the conduits that drive our connected world, enabling seamless interactions between diverse software systems. However, they are a real target for malicious actors. Broken Function Level Authorization (BFLA) is just one of many vulnerabilities that can impact API-driven systems and other similar vulnerabilities can be found on the OWASP API Top 10, or the more recent Candidate List.
About the Author: Alex Olsen
Alex is a Web Application Security specialist with experience working across multiple sectors, from single-developer applications all the way up to enterprise web apps with tens of millions of users. He enjoys building applications almost as much as breaking them and has spent many years supporting the shift-left movement by teaching developers, infrastructure engineers, architects, and anyone who would listen about cybersecurity. He created many of the web hacking courses in TCM Security Academy, as well as the PWPA and PWPP certifications.
Alex holds a Master’s Degree in Computing, as well as the PNPT, CEH, and OSCP certifications.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.