Deepshikha Paty
DI-ASM
What is Broken Function Level Authorization?
It's a security flaw where a website or app doesnโt properly check what actions a user is allowed to do.
So, even if you're not an admin, you might still be able to access admin-only functions (like deleting users or changing roles) just by guessing or changing the URL.
This usually happens when:
- The system trusts what's in the request (like
isAdmin=1) - The userโs role isn't properly checked in the backend
Example :
Imagine a website with two types of users:
- ๐ค Normal user
- ๐ก๏ธ Admin user
Admins can access this URL to delete a user:
https://example.com/admin/delete-user?userId=123
- But the website does not check if you're actually an admin.
- So if a normal user copies that URL and opens it in their browser, the action still works!
๐จ This is Broken Function Level Authorization โ the function (delete-user) is not protected by checking the userโs role.
๐ฏ Why it's dangerous:
-
Hackers or normal users can:
- Access admin functions
- Modify or delete other users
- Change roles or settings
-
It breaks access control and security rules of the app
โ How to prevent it:
- ๐ Always check user roles on the server before allowing any sensitive action.
- โ Do not rely only on hidden buttons or menus to block users.
- ๐งช Test every function to make sure itโs only available to the correct roles (admin, manager, etc.).
๐ In Short:
Broken Function Level Authorization means users can access functions they shouldn't be allowed to, because the server doesn't check permissions properly.