API security is a critical concern for businesses today as APIs become increasingly central to the modern software landscape. The Open Web Application Security Project (OWASP) has identified the top 10 security vulnerabilities that threaten API security, one of which is Broken Function Level Authorization. This vulnerability refers to the risk of improper authorization controls in APIs, which can allow unauthorized access to sensitive functionality. This can happen when API calls don't properly validate the caller's permissions or aren't correctly enforced on the server side.


Broken Function Level Authorization can leave an organization vulnerable to various attacks, including data theft, injection attacks, and privilege escalation. As such, businesses must secure their APIs against this and other OWASP top 10 security vulnerabilities. Businesses can protect their APIs and sensitive data by properly implementing authorization controls and enforcing permissions on both the client and server sides.



Broken Function Level Authorization poses significant risks that organizations must be aware of. OWASP has identified this vulnerability as one of the top 10 security risks that can expose APIs to attacks. Some common risks associated with Broken Function Level Authorization include : 


  • Unauthorized parties accessing or using sensitive functionality
  • Data modification or deletion without authorization
  • Elevating rights without permission


These risks highlight the importance of implementing strong authorization controls for APIs. Businesses must ensure that permissions are correctly enforced on both the client and server sides and that API calls are properly validated. By doing so, organizations can minimize the risk of unauthorized access to sensitive information and protect their APIs against the OWASP top 10 security risks, including Broken Function Level Authorization.


Attack Scenarios

Securing cloud applications against API security risks is critical to protect against various attack scenarios. OWASP has identified that APIs are vulnerable to the top 10 security risks, and organizations should take necessary measures to minimize the risk of such attacks. For cloud applications, possible attack possibilities include:


  • When an API call is intercepted, a hacker changes the caller's permissions to get access to sensitive functionality.
  • An attacker uses a compromised account with higher permissions to access sensitive functionality.
  • An attacker uses a vulnerability in the API to get around authorization checks and access sensitive functionality.


These scenarios demonstrate the need for robust security measures to protect against API security risks. Organizations must ensure that API calls are appropriately authenticated, validated, and authorized. It is essential to maintain access control mechanisms to mitigate the risks associated with Broken Function Level Authorization, one of the top 10 security risks identified by OWASP. By implementing comprehensive security controls and regularly auditing API security practices, businesses can protect their cloud applications from various attack scenarios and secure their APIs against the OWASP top 10 security risks.


Vulnerable Sample Code

A sample of vulnerable Go code that could result in API Authorization issues is:




In this instance, the API call grants a user the ability to delete information from a database by transmitting their ID through the request header. However, there are no validation or authorization checks in place to guarantee that the user is authorized to erase the data, and any user with a valid ID could potentially delete data belonging to other users. This vulnerability could be exploited by an attacker intercepting the API call and modifying the user ID to delete data that they should not be able to access.

Sample Attack

A sample attack exploiting Broken Function Level Authorization using the curl command might look like this:





In this scenario, the attacker is utilizing curl to transmit a DELETE request to the API, including a tampered user ID through the request header. If the API is susceptible to broken function level authorization, the attacker may be able to erase data that they are not authorized to access.

MITRE ATT&CK framework reference

Broken Function Level Authorization is a significant concern for API security. It can be mapped to the Tactic: Privilege Escalation and Techniques: Exploitation of Uncontrolled Linkage to a Third-party Domain and Uncontrolled Search Path Element in the MITRE ATT&CK framework. These techniques involve exploiting vulnerabilities in authorization controls to gain unauthorized access to resources or functionality that should be protected. 


Mapping Broken Function Level Authorization to these techniques highlights the seriousness of this OWASP top 10 security risk and emphasizes the importance of implementing strong authorization controls to prevent such attacks. Organizations should be vigilant in securing their APIs and following best practices to minimize the risk of privilege escalation attacks.


Organizations should implement proper authentication and authorization controls to mitigate the risks associated with Broken Function Level Authorization and ensure robust API security. These may include regularly reviewing and testing the security of their API implementations, enforcing the principle of least privilege, and ensuring proper logging and monitoring of API activity to detect and respond to any unauthorized access or manipulation of sensitive functionality. By following OWASP's top 10 security risks and industry best practices, businesses can proactively protect their APIs and ensure their sensitive data remains secure.

Download the API Security whitepaper

Having the right security measures to safeguard against potential threats is crucial regarding API security. Prancer Security's comprehensive whitepaper provides valuable insights into how its cutting-edge solution can mitigate critical risks such as unauthorized access and data breaches while adhering to the highest security standards. By downloading this whitepaper, organizations can better understand how Prancer Security can help secure their APIs against the OWASP top 10 security risks and other potential threats.


The whitepaper covers various topics, including proper authentication and authorization controls, securing data in transit and at rest, and logging and monitoring API activity. It also provides an overview of identifying and mitigating vulnerabilities in APIs, such as Broken Function Level Authorization.


Don't leave your API security to chance – download Prancer Security's comprehensive whitepaper now and discover how their cutting-edge solution can safeguard your organization from potential threats while adhering to industry best practices and OWASP's top 10 security risks.

Votes: 0
E-mail me when people leave their comments –

You need to be a member of DPG Community to add comments!


  • Following security guidelines and practices from OWASP will help you build Connections NYT and maintain more secure APIs. 

    Connections NYT | Play Connections Unlimted Game!
    Connections NYT - a daily word puzzle that challenges you to group 4 words of 4 topics to solve this puzzle. Play this NYT Game Now!
This reply was deleted.