exploiting-broken-function-level-authorization

Featured

Tests APIs for Broken Function Level Authorization (BFLA) vulnerabilities where regular users can invoke administrative functions or access privileged API endpoints by directly calling them. The tester identifies admin and privileged endpoints, then attempts to access them with regular user credentials by manipulating HTTP methods, URL paths, and request parameters. Maps to OWASP API5:2023 Broken Function Level Authorization. Activates for requests involving BFLA testing, admin endpoint bypass, function-level access control testing, or API privilege escalation.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Exploiting Broken Function Level Authorization ## When to Use - Testing whether regular users can access administrative API endpoints by direct URL access - Assessing APIs for vertical privilege escalation where users can invoke functions above their role - Evaluating if API gateways and middleware consistently enforce function-level access controls - Testing role-based access control (RBAC) implementation across all API endpoints and HTTP methods - Validating that API documentation does not expose admin endpoint paths that lack authorization **Do not use** without written authorization. BFLA testing involves attempting to execute administrative functions with unauthorized credentials. ## Prerequisites - Written authorization specifying target API and administrative functions in scope - Test accounts at multiple privilege levels: regular user, moderator, admin, super-admin - API documentation (OpenAPI/Swagger spec) that may list admin endpoints - Burp Suite Professional for request interception and manipulation - Python 3.10+ with `requests` library - Knowledge of common admin endpoint naming conventions ## Workflow ### Step 1: Administrative Endpoint Discovery ```python import requests import itertools BASE_URL = "https://target-api.example.com" regular_user_headers = {"Authorization": "Bearer <regular_user_token>"} admin_headers = {"Authorization": "Bearer <admin_token>"} # Common admin endpoint patterns ADMIN_PATH_PATTERNS = [ "/api/v1/admin", "/api/v1/...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

API & Backend Featured

testing-api-for-broken-object-level-authorization

Tests REST and GraphQL APIs for Broken Object Level Authorization (BOLA/IDOR) vulnerabilities where an authenticated user can access or modify resources belonging to other users by manipulating object identifiers in API requests. The tester intercepts API calls, identifies object ID parameters (numeric IDs, UUIDs, slugs), and systematically replaces them with IDs belonging to other users to determine if the server enforces per-object authorization. This is OWASP API Security Top 10 2023 risk API1. Activates for requests involving BOLA testing, IDOR in APIs, object-level authorization testing, or API access control bypass.

12,642 Updated today
mukul975
Testing & QA Featured

testing-for-broken-access-control

Systematically testing web applications for broken access control vulnerabilities including privilege escalation, missing function-level checks, and insecure direct object references.

12,642 Updated today
mukul975
API & Backend Featured

exploiting-excessive-data-exposure-in-api

Tests APIs for excessive data exposure where endpoints return more data than the client application needs, relying on the frontend to filter sensitive fields. The tester intercepts API responses and analyzes them for leaked PII, internal identifiers, debug information, or sensitive business data that the UI does not display but the API transmits. This maps to OWASP API3:2023 Broken Object Property Level Authorization. Activates for requests involving API data leakage testing, excessive data exposure, response filtering bypass, or API over-fetching.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-broken-object-property-level-authorization

Detect and test for OWASP API3:2023 Broken Object Property Level Authorization vulnerabilities including excessive data exposure and mass assignment attacks.

12,642 Updated today
mukul975
API & Backend Featured

performing-api-rate-limiting-bypass

Tests API rate limiting implementations for bypass vulnerabilities by manipulating request headers, IP addresses, HTTP methods, API versions, and encoding schemes to circumvent request throttling controls. The tester identifies rate limit headers, determines enforcement mechanisms, and attempts bypasses including X-Forwarded-For spoofing, parameter pollution, case variation, and endpoint path manipulation. Maps to OWASP API4:2023 Unrestricted Resource Consumption. Activates for requests involving rate limit bypass, API throttling evasion, brute force protection testing, or API abuse prevention assessment.

12,642 Updated today
mukul975