The recently published “OWASP API security top 10” report analyzes the anti-patterns that lead to vulnerabilities and security risks in APIs. In this 10 part series, we introduce these API anti-patterns. Every API professional should know about these anti-patterns.
API security anti-pattern for Broken Function-Level Authorization
If access control policies become too complex, for example by introducing many hierarchies, groups, and roles flaws in the authorization are more likely. Especially when there is no clear separation between administrative and regular functions. Attackers may exploit these issues to escalate their privileges, to gain access to the resources of other users, or to administrative functions.
Want to learn more?
- Part 1 Broken Object Level Authorization
- Part 2 Broken User Authentication
- Part 3 Excessive Data Exposure
- Part 4 Lack of Resources & Rate Limiting
- Part 5 Broken Function Level Authorization
Check out the complete OWASP API security paper. To secure access to your APIs, learn more about the OAuth in the OAuth Book, or the OAuth Course. To provide and use identity data in apps and APIs, learn more about OpenID Connect in the OpenID Connect Book, or the OpenID Connect Course.
Also published on Medium.