OWASP API security – 5: Broken function level authorization

Broken Function Level Authorization (BFLA) is a security vulnerability that arises when client requests are improperly authorized, allowing unauthorized access to higher-level functionalities such as administrative functions. To prevent BFLA, it is crucial to validate client permissions against requested resources and reject requests from clients with insufficient permissions. Exploitation typically involves legitimate API calls being sent to endpoints that should be inaccessible, and APIs are particularly susceptible due to their structured nature. Proper authorization checks, often managed via configuration or code, are necessary, but they can be complex due to varying user roles and hierarchies. Application Programming Interface Management (APIM) systems address BFLA by offering methods like access control lists to manage HTTP method and path access. API gateways can enforce these controls by rejecting unauthorized requests and providing feedback through status codes. The process requires ongoing attention to security policies, which must evolve alongside API development. Tools like Tyk offer solutions through policies and plugins that manage access to API endpoints, allowing firms to tailor their security strategies without disrupting existing workflows.