search

Broken Function Level Authorization

hashtag
Check List

hashtag
Methodology

hashtag
Black Box

hashtag
Vertical Privilege Escalation via Admin Endpoint

1

Login as a normal user, Capture your API token

2

Attempt to access an admin-only endpoint

GET /api/admin/users HTTP/1.1
Host: target.com
Authorization: Bearer user_token
3

If response returns user list instead of 403/401, role validation is missing

4

If endpoint is accessible with a low-privileged token, function-level authorization is broken

5

If sensitive administrative functionality is exposed to non-admin user, vulnerability is confirmed

hashtag
Privileged Action via HTTP Method Manipulation

1

Login as normal user, Intercept a normal read-only request

GET /api/users/1024 HTTP/1.1
Host: target.com
Authorization: Bearer user_token
2

Change HTTP method to privileged action

DELETE /api/users/1024 HTTP/1.1
Host: target.com
Authorization: Bearer user_token
3

Send modified request

4

If deletion succeeds without admin privileges, function-level authorization is not enforced per HTTP method

5

If server validates authentication but not role-based function access, vulnerability is confirmed

hashtag
Hidden Admin Endpoint Discovery

1

Login as normal user, Browse JavaScript files

GET /static/app.js HTTP/1.1
Host: target.com
2

Identify hidden admin endpoint reference

/api/v1/admin/export-users
3

Directly request endpoint

GET /api/v1/admin/export-users HTTP/1.1
Host: target.com
Authorization: Bearer user_token
4

If server responds with exported user data instead of access denied, role enforcement is missing

5

If backend relies only on UI restrictions and not server-side role checks, function-level authorization is broken

hashtag
Role Parameter Tampering

1

Login as normal user, Intercept privileged request structure

POST /api/settings/update HTTP/1.1
Host: target.com
Authorization: Bearer user_token
Content-Type: application/json

{"feature":"maintenance","enabled":false}
2

Modify request by adding role field

{"feature":"maintenance","enabled":true,"role":"admin"}
3

Send modified request, If privileged system configuration is changed without admin account, server trusts client input for function authorization

4

If administrative functionality is executed by non-admin user, Broken Function Level Authorization vulnerability is confirmed

hashtag
White Box

hashtag
Cheat Sheet

PreviousLack of Resources and Rate LimitingNextMass Assignment

Last updated