Application Programming Interfaces (APIs) allow your applications to talk to one another, like an application-to-application iMessage or Signal. If you’ve ever texted a message to the wrong group chat, you’ve created a situation that mimics what broken function level authentication does between users and applications. By giving this other group chat “access” to a message they shouldn’t have been able to read or answer, you gave them the ability to take an action outside of their normal role. With broken function level authorization, APIs allow attackers to gain access to resources outside standard-user permissions.
By understanding what broken function level authorization is and how to mitigate it, you can improve your API security and protect data more effectively.
What is Function Level Authorization?
Function level authorization involves controlling user access to specific functions or actions based on their role or permission level. Software developers assign each user or application a specific role or permission level that defines the functions or endpoints they can access within an API.
For example, implementing function level authorization in a Node.js API using Express.js and JSON Web Tokens (JWT) for authentication might look like this:
app.post('/login', (req, res) => {
const user = { username: 'exampleUser' };
const accessToken = jwt.sign(user, process.env.JWT_SECRET);
res.json({ accessToken: accessToken });
});
app.get('/protected', authenticateToken, (req, res) => {
if (req.user.role !== 'admin') {
return res.sendStatus(403);
}
In this example, the function level authorization tells the API to :
- Verify the JWT token: function authenticateToken(req, res, next)
- Authenticate user credentials, generate a JWT token, and send it to the client: post(‘/login’, (req, res) => {
- Ensure that only users with a valid JWT token can access the endpoint: get(‘/protected’, authenticateToken, (req, res) => {
- Denies access if the requested user role is administrative and lacks appropriate authorization: return res.sendStatus(403)
What Is Broken Function Level Authorization?
Broken function level authorization is when an API fails to properly check the function’s or properly enforce user permissions at the functional level. Listed as number five on the OWASP Top 10 API Security list, this vulnerability means attackers can send legitimate API calls to an API endpoint that give them access as anonymous or standard, non-privileged users. While authorization checks at the application level are complex, discovering the vulnerability in APIs may be easier because they are more structured and predictable.
When trying to determine whether an API has a broken function level authorization vulnerability, developers should consider the following questions:
- Can users with standard access permissions gain access to administrative endpoints?
- Can users perform sensitive actions, like data creation, modification, or deletion simply by changing an HTTP method, like from GET to DELETE?
- Can users from one group access a function that should be limited to only users from another group by guessing the endpoint URL and parameters?
Example 1
Taking the example of a a Node.js API using Express.js and JSON Web Tokens (JWT), the vulnerability might fail to include a function level authentication check inside the protected endpoint:
app.post('/login', (req, res) => {
const user = { username: 'exampleUser', role: 'admin' };
};
const accessToken = jwt.sign(user, process.env.JWT_SECRET);
res.json({ accessToken: accessToken });
});
app.get('/protected', authorize, (req, res) => {
Instead of requiring the API to “authenticateToken” as an administrative user, this example simply allows someone to “authorize” to the endpoint, granting anyone with a valid token access to it. This example lacks the “403” forbidden code that denies access to anyone without an admin role.
Example 2
Another example of broken function level authorization might look like this:
app.post('/login', (req, res) => {
const user = { username: 'exampleUser', role: 'user' };
const accessToken = jwt.sign(user,
process.env.JWT_SECRET);
res.json({ accessToken: accessToken });
});
app.get('/protected', authenticateToken, (req, res) => {
if (req.user.role !== 'admin') {
return res.sendStatus(403);
In this example, the API checks whether the user’s role is “admin”, but it fails to restrict access based on roles earlier on “role: ‘user’.” Users with roles other than admin may gain access even though it should deny them access as noted by the “403” forbidden error at the “/protected” endpoint.
Broken Function Level Authorization vs. Broken Object Level Authorization
Although the vulnerabilities may sound similar, they have distinct features based on what attackers can exploit:
- Object level: manipulate an objects IDs based on information contained in the requests returned from the client server
- Function level: access to exposed endpoints often using legitimate API calls to an endpoint that lacks appropriate access controls
Additionally, while both can lead to data disclosure, data loss, and data corruption, you should be aware that they differ in outcomes:
- Broken Function Level Authorization may cause service disruption.
- Broken Object Level Authorization may lead to account takeover.
Challenges Trying to Protect APIs Against Broken Function Level Authorization
To understand the challenges organizations face when trying to protect APIs from this vulnerability, you should understand the capabilities that Web Application Firewalls (WAFs) and API gateways have. These outside-in technologies can typically help mitigate risks by:
- Processing API requests using per-request policy flows that implement authorization mechanisms, like per-request policy branches, subsession and per-flow variable, subroutine gating criteria
- Communication with external servers that make API calls or retrieve information
- Allow developers to set rules for manipulating and configuring things like data and headers
- Aggregating and enforcing access validation to the portal that users must pass through before getting to authenticated URLs
- Evaluating existing JWT authorizations within tokens
- Viewing the distribution of authentication types across API endpoints
While these protections can mitigate some risk, they fail to provide comprehensive API security because they:
- Authenticate anyone who has the appropriate tokens or cookies.
- Fail to monitor API traffic, providing no insight into attacker manipulation.
- Inhibit or break API functionality when they support statically defined message filters.
- Fail to identify third-party applications whose API functions should have been deprecated or restricted.
- Require collaboration across DevOps, operations, and security to implement appropriate filters within the context of the organization’s API architecture which can become time-consuming.
How to Protect your APIs from Broken Function Level Authorization Vulnerabilities
For comprehensive API security, you need visibility into all activity within your perimeter. If attackers manage to gain unauthorized access through the API gateway or WAF, you need to know what you have in your API runtime environment.
Discover and Classify APIs
Even if you have an API gateway or WAF, they still only help you secure the APIs that you already know you have. However, to fully secure your API landscape, you need a solution with continuous traffic scanning at runtime that can:
- Discover new APIs
- Classify them based on domain
- Automate risk assessment scoring
- Track usage over time
With visibility into all APIs, including baseline usage and risk level, you can more effectively look for calls that indicate attackers are exploiting vulnerabilities.
Capture Payload Request and Response Data
While your API gateway and WAF may store metrics or limited metadata, they fail to provide insights responses. With broken function level authentication vulnerabilities, you need to know the unfiltered API request and response details so have the detailed forensic data necessary to respond to attacks.
An API security solution should be able to:
- Capture API requests and responses
- Provide runtime analysis
- Tune inspection, detection, and analysis to specific API types
- Help security teams hunt for zero-day exploits related to their unique API landscape
- Align threat signatures with the OWASP vulnerabilities list and MITRE tactics, techniques, and procedures (TTPs)
Suggest Actionable Remediation Steps
Alerts are only worthwhile if you know how to fix the problem. Your API security solution should provide a summary and description of the underlying issue that led to an alert. Any solution should enable:
- At-a-glance visibility with a high-level histogram that shows context for activity and intensity
- Remediation actions that allow you to rapidly resolve issues and optimize critical metrics like Mean Time to Respond (MTTR)
- Team collaboration by integrating with their tool of choice
- Visibility into context so you have situational awareness for fast and effective decision-making
Graylog: Mitigate API Broken Function Level Authentication Risk
With Graylog Security and Graylog API Security, you can create a comprehensive security monitoring program with end-to-end API threat, monitoring, detection, and response. Graylog Security’s out-of-the-box content and security analytics enable you to build high-fidelity alerts and pivot directly into researching the log data that matters most. Our platform gives you all the functionality of a SIEM without the complexity, providing a robust technology that empowers users of all experience levels.
With Graylog API Security, you supplement your Web Application Firewall (WAF) and API gateway monitoring for enhanced security. Graylog API Security provides continuous API Discovery, automated risk assessment scoring, and full API request and response capture so you have all the data necessary to detect and investigate common threats and API failures faster.
Contact us today to see how our combined operations, security, and API monitoring platform can help you.