# Broken function level authorization (BFLA)

### Broken function level authorization (BFLA)

is when a user could trigger a function he is not authorized to trigger for example, if there is a e-shopping website a normal user could buy items, checkout and etc... and an admin could see orders details and delete a user, display user's details and etc... a BFLA occurs when a user could access admin functions like deleting users or seeing orders details.

I will use crAPI to demonstrate this vulnerability which you can download and install using this link

{% embed url="<https://github.com/OWASP/crAPI>" %}

by testing the personal video upload function&#x20;

<figure><img src="/files/qpMUO70Pq6DEvv7zlDkr" alt=""><figcaption><p>figure 1 : upload a personal video</p></figcaption></figure>

and I managed to upload a video, reviewing the POST request,

<figure><img src="/files/RDc17hyum1aOd8jsN48u" alt=""><figcaption><p>figure 2: POST request</p></figcaption></figure>

We will notice that the video uploaded successfully with id 34

So, let's try to register new user and upload a personal video for him

<figure><img src="/files/I8a4TTyC5jBV3mzsbIdt" alt=""><figcaption><p>figure 3 : registring a new user</p></figcaption></figure>

Then uploading a video for the user

<figure><img src="/files/8tS3e7jBx8L9h5xQMVNJ" alt=""><figcaption><p>figure 4: uploading video for user</p></figcaption></figure>

The new user uploaded video id is 36.

So, if we managed to delete the current user video with id 36 it's ok but if we could trigger a delete function for the other users video it will be BFLA

<figure><img src="/files/JtcG0rPSHlwBr4HImPwF" alt=""><figcaption><p>Figure 5: trying to delete an video</p></figcaption></figure>

After trying to delete the video, the application responded with this is an admin function, however it doesn't deny our authorization it just asks us to use admin API.

<figure><img src="/files/pBSjWOxZKOMJNqzqCPuU" alt=""><figcaption><p>Figure 6: admin API</p></figcaption></figure>

So, I have tried to delete the video with an admin API, however I'm authorized as a user not an admin and the video deleted successfully. &#x20;

### Conclusion

Broken Function Level Authorization (BFLA) poses a significant security risk by allowing users to access functions or perform actions beyond their authorized level. This vulnerability undermines the integrity of access controls within an application, potentially leading to unauthorized access to sensitive data, misuse of administrative functionalities, and an overall compromise of system security. To mitigate the risks associated with BFLA, it is essential for developers and organizations to implement robust and granular function level authorization mechanisms, ensuring that users only have access to the functions that align with their designated roles and permissions. Regular security audits, thorough testing, and ongoing vigilance are crucial to maintaining a secure and resilient system against the threats posed by broken function level authorization.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xk3rypton.gitbook.io/0xk3rypt0n-blog/penetration-testing/webapp-pentest/api-testing/authorization-attacks/broken-function-level-authorization-bfla.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.