API5:2019 Broken Function Level Authorization
If you have been following our OWASP API Security Top 10 series, you know that we have already covered a specific type of authorization issue: Broken Object Level Authorization. Broken Function Level Authorization issues are not that different. Instead of getting access to a user's object, bad actors may find a way to execute functions/actions reserved to very specific or privileged users such as administrators.
What is the issue?
The underlying issue is the same discussed for Broken Object Level Authorization: a regular or non-privileged API user can craft a request to a specific endpoint that is supposed to be only available to a particular user or user role. In this case, such endpoints perform actions upon API-managed data, such as exporting the user base to some specific format (e.g. CSV) or triggering some action.
How does it look like?
The example below is an idiomatic scenario where the endpoint /admin/users/export is aimed at administrators only, but due to an authorization flaw, any authenticated user will be able to export the user base to CSV:
Access control is known to be something hard to implement and manage, so you can think about much more complex scenarios where checking if the requester is allowed to perform a specific action fails.
Where have we seen this issue lately?
We usually find function-level authorization issues on endpoints whose addresses were supposed to be known only by those authorized to access them (aka security through obscurity) or through "magical" query string parameters that unlock the feature (e.g. ?export/?print).
The XSS vulnerability patched in SEOPress affecting 100,000 sites (CVE-2021-34641) exploits a flaw in the authorization mechanism. The same underlying vulnerability was found by Pierre in several Zyxel CNM SecuManager backdoor APIs.
Authorization and access control is one of the most challenging parts of building and deploying APIs. Even carefully designed APIs with a proper access control infrastructure and authorization mechanism may fall into these issues.
Function-level authorization issues tend to be critical: functions are often aimed at privileged users, or they are either stateful or expose considerable amounts of data.
Because testing for authorization flaws is not that easy to automate, manual testing is still the best way to address the problem: internal quality assurance (QA) and security teams should put additional effort on authorization issues, but an external security audit will help to greatly improve confidence in the system.