Introduction to API5:2019 Broken Function Level Authorization
Broken Function Level Authorization, listed as API5:2019 in the OWASP API Security Top 10, occurs when an API does not properly restrict access to sensitive functions based on user roles or permissions. This allows attackers to access administrative or privileged operations by simply guessing or modifying endpoints, such as changing a URL from /user/update to /admin/delete. Even if authentication is in place, missing or weak authorization checks can lead to unauthorized access and actions. To prevent this, every function in the API must enforce strict role-based access control and verify permissions before executing any operation.
OWASP API05:2019 Broken Function Level Authorization
