DEV Community

Cover image for API5:2019 - Broken Function Level Authorization
Breno Vitório
Breno Vitório

Posted on • Updated on

API5:2019 - Broken Function Level Authorization

Hello guys! Hope you are having an amazing day 🤗

Continuing our series, today we are going to talk a little bit about API5:2019, which is an authorization vulnerability just like API1:2019, but they happen in different cases and for different reasons.

Hope you guys dig it!

🏞️ Just Some Background

There are applications that need some functionalities to be only accessible to certain users. For example, if there's an endpoint that returns personal identifiable data about all the registered users, we may assume that only the administrators are supposed to be capable of using it.

For this case, verifying for an user attribute isAdmin might already do the trick, but some other applications, such as forums or school management systems tend to need more than that. Usually they need a whole set of access control policies that will be used to define, through the code of the entire API, whether a user is able to execute functions or not.

😋 Exemplifying The Problem

Implementing complex access control policies, just like any other complex business logic rules, is actually very tricky because this process cannot be handled in a generic way, and every single endpoint of the API has to take this into account.

Imagine an API where any route starting with /admin can only be accessed by administrators. That's great, right?! But if there is any other route that is supposed to be accessible only for administrators, such as:

DELETE /users/all HTTP/1.1

This endpoint also needs to be considered by the access control policies, and very often, when it comes to cases like this, they are actually not taken into account! 😬

This was the case of CVE-2021-3980. The application already had access control policies defining that only administrators would have access to the endpoints which start with /admin and/or /ajax/admin, but there was this endpoint which was starting with /ajax/form/admin and it wasn't being considered by the access control policies at all. This simple "misconfiguration" made possible for every user (even unauthenticated ones) to get access to some private information related to the users of any social network created with the engine.

📔 External Materials

As my goal with this series is to just explain what each flaw is while I'm learning about them all, I would like to suggest some materials about today's topic, so you understand better the details of it:

Discussion (0)