Introduction to API05:2023 Broken Function Level Authorization
Broken Function Level Authorization occurs when an API fails to enforce proper authorization checks before allowing access to sensitive functions or operations. While users might be authenticated, they can still perform actions beyond their privileges—like a regular user accessing admin functions—if the API does not validate roles or permissions properly. This often happens when frontend role controls are assumed to be enough. The solution is to enforce strict authorization on every function at the API level, ensuring that only users with the correct roles can execute specific actions, regardless of how the request was formed or who sent it.
OWASP API5:2023 Broken Function Level Authorization
