Broken function-level authorization is when applications fail to limit sensitive functions to the authorized users. Unlike broken object-level authorization, this flaw refers specifically to when unauthorized users can access sensitive or restricted functions they should not have access to.
For instance, when one user can modify another user’s account or when a regular user can access admin functionality on a site. These issues are caused by missing or misconfigured access controls. They can manifest themselves in many ways, so let’s look at a few examples today
Back to Main