🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Broken Function Level Authorization

Broken Function Level Authorization occurs when APIs expose sensitive functions or administrative operations without enforcing proper role-based or permission-based access checks, allowing attackers to invoke actions beyond their privileges.

Remediation

  • Implement server-side role and permission validation for every API endpoint, especially administrative and sensitive functions.
  • Segregate administrative and user-level functions into separate endpoints and enforce strict authentication and authorization checks.
  • Avoid relying solely on client-side enforcement; ensure authorization logic is applied consistently on the server.

Metadata

  • Severity: high
  • Slug: broken-function-level-authorization

CWEs

  • 284: Improper Access Control
  • 285: Improper Authorization
  • 266: Incorrect Privilege Assignment

OWASP

  • A01:2021: Broken Access Control
  • API3:2023: Broken Function Level Authorization

Available Labs

Select a language to explore available labs for this vulnerability.

No matching labs found

Try adjusting your language filter.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.