# Broken Function Level Authorization ## **What is Broken Function Level Authorization?** **Broken Function Level Authorization** occurs when an API does not properly enforce authorization checks at the function or method level. This vulnerability can lead to unauthorized access to critical functions and sensitive data. **Maps to OWASP Top 10** Broken Function Level Authorization is categorized under **A01:2021 - Broken Access Control** in the OWASP Top 10. It emphasizes the importance of implementing proper access control mechanisms to prevent unauthorized access to API functions. ## **Vulnerable Code and Secure Code Example** ### **Attack Scenario** Imagine an API endpoint that allows users to perform administrative actions. Without proper function-level authorization, a regular user might be able to access these administrative functions and perform unauthorized actions. ### **Insecure Implementation (Prone to Broken Function Level Authorization)** ```java @RestController @RequestMapping("/api") public class AdminController { @Autowired private UserService userService; @PostMapping("/admin/createUser") public ResponseEntity createUser(@RequestParam String username, @RequestParam String password) { // No authorization check userService.createUser(username, password); return ResponseEntity.ok("User created"); } } ``` ### **Attack Payload Example**: ```sh curl -X POST -d "username=newUser&password=password" http://localhost:8080/api/admin/createUser ``` In this case, any user can access the `/admin/createUser` endpoint and create new users without proper authorization. ### **Secure Implementation (Mitigating Broken Function Level Authorization)** ```java @RestController @RequestMapping("/api") public class AdminController { @Autowired private UserService userService; @PreAuthorize("hasRole('ADMIN')") @PostMapping("/admin/createUser") public ResponseEntity createUser(@RequestParam String username, @RequestParam String password) { userService.createUser(username, password); return ResponseEntity.ok("User created"); } } @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .authorizeRequests() .antMatchers("/api/admin/**").hasRole("ADMIN") .anyRequest().authenticated() .and() .httpBasic(); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("admin").password("{noop}admin").roles("ADMIN") .and() .withUser("user").password("{noop}user").roles("USER"); } } ``` The secure implementation: * **Uses @PreAuthorize** annotation to enforce that only users with the 'ADMIN' role can access the `/admin/createUser` endpoint. * **Configures role-based access control** in the Spring Security configuration to protect administrative endpoints. ## **Key Points for Developers** * **Implement Role-Based Access Control (RBAC)**: Ensure that only users with the appropriate roles can access specific functions. * **Use Security Annotations**: Leverage security annotations such as `@PreAuthorize` and `@Secured` to enforce authorization at the method level. * **Regularly Review Access Control Policies**: Ensure that access control policies are up-to-date and align with the application's security requirements. * **Conduct Security Testing**: Regularly test APIs for vulnerabilities related to broken function level authorization. ## **Summary and Key Takeaways** Broken Function Level Authorization can lead to unauthorized access to critical functions and sensitive data. By implementing role-based access control, using security annotations, and regularly reviewing access control policies, developers can mitigate these risks and ensure robust API security. ## **Reference Links** * **OWASP API Security Top 10**: [OWASP API Security Top 10](https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/) * **Spring Security Documentation**: [Spring Security Documentation](https://spring.io/projects/spring-security) * **Spring Data JPA Documentation**: [Spring Data JPA Documentation](https://spring.io/projects/spring-data-jpa) * **Access Control Cheat Sheet**: [OWASP Access Control Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html)