BFLA

Broken Function Level Authorization (BFLA) occurs when an attacker gains unauthorized access to functions or endpoints that should be restricted, typically by manipulating request parameters or exploiting insufficient authorization checks.

This can lead to unauthorized actions or access to sensitive functionalities, potentially compromising security or affecting application integrity.

Implement strict authorization checks for every function or endpoint, enforce role-based or attribute-based access controls, and regularly audit and test access controls to ensure proper restrictions are in place.

General Information

Testing for BFLA involves the same steps as BOLA; instead of creating and using same permission accounts, such as userA and userB, we need to have different permission accounts, such as authenticated vs. unauthenticated and/or low-privileged vs. high-privileged.

1. Find functional endpoints that require specific permissions.

2. Login to an account that does not have these permissions.

3. Repeat the requests identified in Step 1 with the account used on Step 2.

In the case of BOLA the user is authorized to interact with the vulnerable endpoint, whereas in BFLA the user is not.

Examples

Admin Access

The below example is based on the crAPI application.

Figure 1: Deleting userB's video with userA's token.

No-Role Access

The below example is based on HTB's API Attacks module.

Figure 2: Discovering a BFLA vulnerability.