If you are using a function-level authorization flaw, attackers can use the same HTTP methods to perform sensitive actions on your API that they would normally be restricted from doing.

How do we prevent this?

Here’s how broken function level authorization is prevented: First, identify all of the functions in your application and classify them into three categories: admin (e.g., adding new users), user (e.g., updating profile info) and system (e.g., sending emails). Then create an access control list for each category by listing which users or roles have permission to perform these actions

Back to Main