保護DataHogo
Security Encyclopedia/OWASP API Top 10
highCWE-285API5:2023

Broken Function Level Authorization

Admin or privileged API endpoints accessible to regular users — missing role checks allow privilege escalation to administrative functions.

How It Works

This vulnerability occurs when API endpoints that should only be accessible to admins or specific roles don't verify the user's role. Regular users can access admin functions by simply calling the endpoint directly. Common patterns include admin routes that only check if a user is authenticated (not their role), hidden admin endpoints that rely on obscurity, or inconsistent role checks where some admin routes are protected but others aren't.

Vulnerable Code
// Admin endpoint — only checks authentication, not role
app.delete('/api/admin/users/:id', auth, async (req, res) => {
  await User.deleteOne({ _id: req.params.id });
  res.json({ success: true });
});
Secure Code
// Admin endpoint — checks both auth and role
app.delete('/api/admin/users/:id', auth, requireRole('admin'),
  async (req, res) => {
    await User.deleteOne({ _id: req.params.id });
    res.json({ success: true });
  }
);

Real-World Example

In 2019, a vulnerability in a major airline's API allowed any authenticated user to access admin endpoints for managing flights and passenger manifests. The endpoints required authentication but didn't check roles, giving all users admin-level access.

How to Prevent It

  • Implement role-based access control (RBAC) middleware
  • Apply role checks consistently on ALL admin endpoints
  • Use a centralized authorization layer, not per-route checks
  • Regularly audit admin endpoints for proper authorization

Affected Technologies

Node.jsPythonGoJavaPHPC#

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Broken Object Level Authorization (BOLA)

high

API endpoints don't verify that the requesting user owns the resource they're accessing — allowing attackers to access other users' data by changing object IDs.

CWE-639API1:2023

Broken Authentication (API)

high

API authentication mechanisms are weak or improperly implemented — JWT without proper validation, tokens not in httpOnly cookies, or missing token expiration.

CWE-287API2:2023

Broken Object Property Level Authorization

medium

API allows users to read or modify object properties they shouldn't have access to — mass assignment, excessive data exposure, or missing field-level access control.

CWE-915API3:2023

Unrestricted Resource Consumption

medium

API endpoints without rate limiting, pagination, or resource limits — allowing attackers to exhaust server resources, rack up costs, or extract large datasets.

CWE-770API4:2023