Broken Function Level Authorization

What is Broken Function Level Authorization?

Broken Function Level Authorization occurs when an API does not properly enforce authorization checks at the function or method level. This vulnerability can lead to unauthorized access to critical functions and sensitive data.

Maps to OWASP Top 10

Broken Function Level Authorization is categorized under A01:2021 - Broken Access Control in the OWASP Top 10. It emphasizes the importance of implementing proper access control mechanisms to prevent unauthorized access to API functions.

Vulnerable Code and Secure Code Example

Attack Scenario

Imagine an API endpoint that allows users to perform administrative actions. Without proper function-level authorization, a regular user might be able to access these administrative functions and perform unauthorized actions.

Insecure Implementation (Prone to Broken Function Level Authorization)

@RestController
@RequestMapping("/api")
public class AdminController {

    @Autowired
    private UserService userService;

    @PostMapping("/admin/createUser")
    public ResponseEntity<?> createUser(@RequestParam String username, @RequestParam String password) {
        // No authorization check
        userService.createUser(username, password);
        return ResponseEntity.ok("User created");
    }
}

Attack Payload Example:

curl -X POST -d "username=newUser&password=password" http://localhost:8080/api/admin/createUser

In this case, any user can access the /admin/createUser endpoint and create new users without proper authorization.

Secure Implementation (Mitigating Broken Function Level Authorization)

@RestController
@RequestMapping("/api")
public class AdminController {

    @Autowired
    private UserService userService;

    @PreAuthorize("hasRole('ADMIN')")
    @PostMapping("/admin/createUser")
    public ResponseEntity<?> createUser(@RequestParam String username, @RequestParam String password) {
        userService.createUser(username, password);
        return ResponseEntity.ok("User created");
    }
}

@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .authorizeRequests()
                .antMatchers("/api/admin/**").hasRole("ADMIN")
                .anyRequest().authenticated()
                .and()
            .httpBasic();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
            .withUser("admin").password("{noop}admin").roles("ADMIN")
            .and()
            .withUser("user").password("{noop}user").roles("USER");
    }
}

The secure implementation:

  • Uses @PreAuthorize annotation to enforce that only users with the 'ADMIN' role can access the /admin/createUser endpoint.

  • Configures role-based access control in the Spring Security configuration to protect administrative endpoints.

Key Points for Developers

  • Implement Role-Based Access Control (RBAC): Ensure that only users with the appropriate roles can access specific functions.

  • Use Security Annotations: Leverage security annotations such as @PreAuthorize and @Secured to enforce authorization at the method level.

  • Regularly Review Access Control Policies: Ensure that access control policies are up-to-date and align with the application's security requirements.

  • Conduct Security Testing: Regularly test APIs for vulnerabilities related to broken function level authorization.

Summary and Key Takeaways

Broken Function Level Authorization can lead to unauthorized access to critical functions and sensitive data. By implementing role-based access control, using security annotations, and regularly reviewing access control policies, developers can mitigate these risks and ensure robust API security.

Reference Links

PreviousLack of Resources & Rate LimitingNextUnsafe Consumption of APIs

Last updated