Exploiting Broken Function Level Authorization

When to Use

• Testing whether regular users can access administrative API endpoints by direct URL access
• Assessing APIs for vertical privilege escalation where users can invoke functions above their role
• Evaluating if API gateways and middleware consistently enforce function-level access controls
• Testing role-based access control (RBAC) implementation across all API endpoints and HTTP methods
• Validating that API documentation does not expose admin endpoint paths that lack authorization

Do not use without written authorization. BFLA testing involves attempting to execute administrative functions with unauthorized credentials.

Prerequisites

• Written authorization specifying target API and administrative functions in scope
• Test accounts at multiple privilege levels: regular user, moderator, admin, super-admin
• API documentation (OpenAPI/Swagger spec) that may list admin endpoints
• Burp Suite Professional for request interception and manipulation
• Python 3.10+ with requests library
• Knowledge of common admin endpoint naming conventions