API5:2023 — Broken Function Level Authorization

Q: What is Broken Function Level Authorization?

API5:2023 occurs when admin API endpoints are accessible to regular users by changing HTTP methods or URL paths, lacking proper role-based access controls.

Verified by Precogs Threat Research

OWASP API 2023Rank #5

What is Broken Function Level Authorization?

APIs with complex access control policies where administrative or privileged functions are accessible to regular users. Often involves changing HTTP method (GET to PUT/DELETE) or modifying URL paths to access admin endpoints.

Impact

Enables unauthorized access to administrative functions: deleting users, modifying configurations, accessing audit logs, or bypassing approval workflows.

How Precogs AI Addresses API5

Precogs AI detects missing function-level authorization in API code, identifying admin endpoints accessible without proper role verification.

Scan for API5 Risks

Related CWEs

CWE-285 ↗

API5:2023 — Broken Function Level Authorization

What is Broken Function Level Authorization?

Impact

How Precogs AI Addresses API5

Related CWEs

Risk Overview

Quick Links

Protect Against API5

What is Broken Function Level Authorization?

Impact

How Precogs AI Addresses API5

Related CWEs

Related Resources

🛡️ Notable Vulnerabilities

🔗 External References

Risk Overview

Quick Links

Protect Against API5