API5:2023 — Broken Function Level Authorization

Q: What is Broken Function Level Authorization?

API5:2023 occurs when admin API endpoints are accessible to regular users by changing HTTP methods or URL paths, lacking proper role-based access controls.

Verified by Precogs Threat Research

OWASP API 2023Rank #5

What is Broken Function Level Authorization?

APIs with complex access control policies where administrative or privileged functions are accessible to regular users. Often involves changing HTTP method (GET to PUT/DELETE) or modifying URL paths to access admin endpoints.

Impact

Enables unauthorized access to administrative functions: deleting users, modifying configurations, accessing audit logs, or bypassing approval workflows.

Related CWEs

CWE-285 ↗

How Precogs AI Addresses API5

Precogs AI detects missing function-level authorization in API code, identifying admin endpoints accessible without proper role verification.

Scan for API5 Risks Book a demo

API5:2023 — Broken Function Level Authorization

What is Broken Function Level Authorization?

Impact

Related CWEs

Risk Overview

Quick Links

Protect Against API5

How Precogs AI Addresses API5

API5:2023 — Broken Function Level Authorization

What is Broken Function Level Authorization?

Impact

Related CWEs

Related Resources

🛡️ Notable Vulnerabilities

🔗 External References

Risk Overview

Quick Links

Protect Against API5

How Precogs AI Addresses API5