130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Information Security Centre (ISC)
    • Why we need a ISC
    • ISC Team Structure: Roles, Functions, and Tools
      • Key Function & Role
      • Tools
      • People
      • Outsource Strategy
    • HRMC Executive Paper
  • Application Security
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • What is Broken Function Level Authorization?
  • Vulnerable Code and Secure Code Example
  • Attack Scenario
  • Insecure Implementation (Prone to Broken Function Level Authorization)
  • Attack Payload Example:
  • Secure Implementation (Mitigating Broken Function Level Authorization)
  • Key Points for Developers
  • Summary and Key Takeaways
  • Reference Links

Was this helpful?

  1. Application Security
  2. Common API Security Problems

Broken Function Level Authorization

What is Broken Function Level Authorization?

Broken Function Level Authorization occurs when an API does not properly enforce authorization checks at the function or method level. This vulnerability can lead to unauthorized access to critical functions and sensitive data.

Maps to OWASP Top 10

Broken Function Level Authorization is categorized under A01:2021 - Broken Access Control in the OWASP Top 10. It emphasizes the importance of implementing proper access control mechanisms to prevent unauthorized access to API functions.

Vulnerable Code and Secure Code Example

Attack Scenario

Imagine an API endpoint that allows users to perform administrative actions. Without proper function-level authorization, a regular user might be able to access these administrative functions and perform unauthorized actions.

Insecure Implementation (Prone to Broken Function Level Authorization)

@RestController
@RequestMapping("/api")
public class AdminController {

    @Autowired
    private UserService userService;

    @PostMapping("/admin/createUser")
    public ResponseEntity<?> createUser(@RequestParam String username, @RequestParam String password) {
        // No authorization check
        userService.createUser(username, password);
        return ResponseEntity.ok("User created");
    }
}

Attack Payload Example:

curl -X POST -d "username=newUser&password=password" http://localhost:8080/api/admin/createUser

In this case, any user can access the /admin/createUser endpoint and create new users without proper authorization.

Secure Implementation (Mitigating Broken Function Level Authorization)

@RestController
@RequestMapping("/api")
public class AdminController {

    @Autowired
    private UserService userService;

    @PreAuthorize("hasRole('ADMIN')")
    @PostMapping("/admin/createUser")
    public ResponseEntity<?> createUser(@RequestParam String username, @RequestParam String password) {
        userService.createUser(username, password);
        return ResponseEntity.ok("User created");
    }
}

@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .authorizeRequests()
                .antMatchers("/api/admin/**").hasRole("ADMIN")
                .anyRequest().authenticated()
                .and()
            .httpBasic();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
            .withUser("admin").password("{noop}admin").roles("ADMIN")
            .and()
            .withUser("user").password("{noop}user").roles("USER");
    }
}

The secure implementation:

  • Uses @PreAuthorize annotation to enforce that only users with the 'ADMIN' role can access the /admin/createUser endpoint.

  • Configures role-based access control in the Spring Security configuration to protect administrative endpoints.

Key Points for Developers

  • Implement Role-Based Access Control (RBAC): Ensure that only users with the appropriate roles can access specific functions.

  • Use Security Annotations: Leverage security annotations such as @PreAuthorize and @Secured to enforce authorization at the method level.

  • Regularly Review Access Control Policies: Ensure that access control policies are up-to-date and align with the application's security requirements.

  • Conduct Security Testing: Regularly test APIs for vulnerabilities related to broken function level authorization.

Summary and Key Takeaways

Broken Function Level Authorization can lead to unauthorized access to critical functions and sensitive data. By implementing role-based access control, using security annotations, and regularly reviewing access control policies, developers can mitigate these risks and ensure robust API security.

Reference Links

PreviousLack of Resources & Rate LimitingNextUnsafe Consumption of APIs

Last updated 5 months ago

Was this helpful?

OWASP API Security Top 10:

Spring Security Documentation:

Spring Data JPA Documentation:

Access Control Cheat Sheet:

OWASP API Security Top 10
Spring Security Documentation
Spring Data JPA Documentation
OWASP Access Control Cheat Sheet