creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-10 21:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
Anthropic-Cybersecurity-Skills/skills/exploiting-broken-function-level-authorization/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

90 lines
2.3 KiB
Markdown
Raw Permalink Blame History

# API Reference: Broken Function Level Authorization (BFLA)
## OWASP API5:2023 — Broken Function Level Authorization
### Description
API endpoints expose functions that should be restricted to specific roles.
Low-privileged users can invoke admin-level functionality.
### Common Patterns
| Pattern | Example |
|---------|---------|
| Guessable admin paths | `/api/admin/users` |
| Method switching | POST allowed but PUT bypasses auth |
| Role parameter manipulation | `{"role": "admin"}` in request |
| Vertical privilege escalation | User accessing admin endpoints |
## Testing Methodology
### Step 1: Discover Endpoints
```bash
# From OpenAPI spec
curl https://api.target.com/swagger.json | jq '.paths | keys'
# From JavaScript source
grep -oP '["'"'"']/api/[^"'"'"']+' app.js
```
### Step 2: Test with Low-Priv Token
```bash
curl -H "Authorization: Bearer <low_priv_token>" \
https://api.target.com/api/admin/users
```
### Step 3: Test HTTP Method Switching
```bash
# If GET returns 403, try POST/PUT/DELETE
curl -X PUT -H "Authorization: Bearer <low_priv_token>" \
https://api.target.com/api/admin/users/1
```
## Python requests Library
### Request with Token
```python
headers = {"Authorization": f"Bearer {token}"}
resp = requests.get(url, headers=headers, timeout=10, verify=False)
```
### Method Switching
```python
for method in ["GET", "POST", "PUT", "DELETE", "PATCH"]:
resp = requests.request(method, url, headers=headers, timeout=10)
if resp.status_code < 400:
print(f"Accessible via {method}: {resp.status_code}")
```
## Common Admin Endpoints to Test
```
/admin
/api/admin
/api/v1/admin/users
/api/internal
/manage
/api/config
/api/debug
/api/users/all
/api/system/settings
/graphql (with admin mutations)
```
## Burp Suite — Authorization Testing
### Autorize Extension
1. Install Autorize from BApp Store
2. Set low-privilege cookie/token
3. Browse application as admin
4. Autorize replays requests with low-priv token
5. Compare responses for authorization bypass
## Response Analysis
| Indicator | Meaning |
|-----------|---------|
| 200 with data | Full access (vulnerability) |
| 200 empty body | Possible partial bypass |
| 403 Forbidden | Properly restricted |
| 401 Unauthorized | Auth required |
| 405 Method Not Allowed | Method restricted |
Reference in New Issue View Git Blame Copy Permalink