Search
K
Guides

API5:2023 - Broken Function Level Authorization

This vulnerability occurs when APIs fail to properly enforce authorization checks on functions based on user roles and privileges (Authorization). Regular users can access administrative actions

Understanding why this vulnerability exists

The reason this security risk exists is due to insufficient validation of user permissions. APIs can succesfully authenticate users correctly, but if it fails to verify whether those users have the permissions to execute specific functions

Function Level vs Object Level Authorization

It's important to understand the difference between these two authorization vulnerabilities:

Object Level Authorization (BOLA - API1:2023): Controls access to specific data objects. Question: "Can this user access this specific resource?"

  • Example: Can user ID 123 view user ID 456's profile? Answer: NO

Function Level Authorization (BFLA - API5:2023): Controls access to specific functions or operations. Question: "Can this user perform this type of action?"

  • Example: Can a regular user delete ANY user account? Can a viewer role modify settings?

Real World Examples

Example 1: Administrative Function Access

A regular user discovers administrative endpoints by analyzing client-side code or API documentation:

GET kong.nonamesec.org/normal/users

API Response (excessive data exposure):

{
    22: {
        'identification': "1-0021-1234",
        'name': 'Sergio',
        'email': 'sergio@company.com',
        'password': 'SuperSecret123!',
        'ssn': '123-45-6789',
        'credit_card': '4532-1234-5678-9010',
        'api_key': 'sk_live_51234567890abcdef'
    },
    98: {
        'identification': "1-9954-5647",
        'name': 'Zack',
        'email': 'zack@company.com',
        'password': 'Password123',
        'ssn': '987-65-4321',
        'credit_card': '5425-2334-3010-9876',
        'api_key': 'sk_live_98765432109876543'
    },
    12: {
        'identification': "1-9843-6433",
        'name': 'Gabriel',
        'email': 'gabriel@company.com',
        'password': 'MyP@ssw0rd',
        'ssn': '456-78-9012',
        'credit_card': '3782-822463-10005',
        'api_key': 'sk_live_abcdefghijklmnop'
    },
    27: {
        'identification': "1-1022-5678",
        'name': 'Diana',
        'email': 'diana@company.com',
        'password': 'Diana2024!',
        'ssn': '789-01-2345',
        'credit_card': '6011-1111-1111-1117',
        'api_key': 'sk_live_qrstuvwxyz123456'
    }
}

Without proper function-level authorization, the regular user can access the /normal/users endpoint and retrieve a list of all users in the system.

Impact: Exposure of all user data, ability to view system-wide information, potentially leading to more abusive actions

What are the common methods to prevent Broken Function Level Authorization?

ControlsPrevents Function Level Authorization Issues
Authentication❌ No
Role-Based Access Control (RBAC)✅ Yes
Function-level authorization checks✅ Yes

How did we actually remediated this in the current solution?

In this exercise where we are presenting an unsecure and secure API, we tried where possible to rely on Kong's API Gateway as the source of our protection. For Broken Function Level Authorization, we successfully implemented protection using Kong's ACL and RBAC capabilities combined with server-side role validation.

Available Kong Plugins we utilized:


The implementation works as follows:

1. Users authenticate via Basic Auth or Key Auth and are assigned to consumer groups
2. Administrative routes have ACL plugin configured to only allow "admin-group"
3. Regular users attempting to access admin functions receive 403 Forbidden

| Route Pattern | Allowed Roles | HTTP Methods |
|--------------|---------------|--------------|
| /secure/home | secure-group, admin-group| ALL |
| /secure/db/* | admin-group | GET |
| /secure/users/ | admin-group | GET |
| /secure/users/N/settings | user-group | GET |

This combination of Kong's Gateway Authorization ensures that only users with appropriate roles can access privileged functions, preventing unauthorized access to administrative capabilities.
::