What is Broken Function-Level Authorisation (BFLA)?

Broken Function Level Authorisation (BFLA) is a critical security vulnerability that plagues many modern applications and APIs. This blog will explore BFLA in-depth, discussing its impact, how it works, and ways to prevent it. We'll also touch on related concepts and provide practical examples to help you better understand this important security issue.

What is Broken Function-Level Authorisation (BFLA)?

Broken Function-Level Authorisation occurs when an application fails to properly enforce access controls for specific functions or actions. In simpler terms, it allows users to perform operations they shouldn't have permission to do. This vulnerability is particularly common in systems with complex user roles and permissions.

BFLA is a significant concern in the world of API security. In fact, the Open Web Application Security Project (OWASP) ranks it as the 5th most critical API security risk as of 2023. This highlights the value of recognising and addressing BFLA in current software development.

Also Read: What is the OWASP API Security Top 10?

BFLA vs. Broken Object Level Authorisation (BOLA)

While discussing BFLA, it's important to distinguish it from a related concept: Broken Object Level Authorisation (BOLA). Here's how they differ:

The Impact of BFLA

The consequences of Broken Function Level Authorisation can be severe:

1. Unauthorised Access: Attackers can perform actions beyond their intended permissions.
2. Data Breaches: Sensitive information may be exposed or manipulated.
3. System Integrity: The overall security and functionality of the application can be compromised.
4. Financial Loss: Unauthorised actions could lead to financial damage or fraud.
5. Reputation Damage: Security breaches can erode user trust and harm an organisation's reputation.

How BFLA Attacks Work

Understanding how BFLA attacks occur is crucial for prevention. Here's a typical process:

1. Exploration and Mapping: Attackers identify system functionalities and map out accessible features.
2. Role Comparison and Access Testing: They compare access levels of different user roles and test for discrepancies.
3. Exploitation of Misconfigurations: Upon finding vulnerabilities, attackers craft requests to bypass authorisation checks.
4. Leveraging the Attack: Unauthorised access is used for malicious purposes, such as data theft or further system exploitation.

BFLA Example: Unauthorised Invitation Creation

Let's look at a practical example of a BFLA vulnerability:

Imagine an application that requires an invitation to join. Normally, only administrators can create new invitations through a special admin area. A BFLA vulnerability allows an attacker to exploit this by submitting a carefully designed POST request:

POST /API/invites/new

{

"email": "hacker@otherhost.com",

"role": "admin"

}

In this case, the application fails to properly check if the user has the authority to create invitations or assign admin roles. As a result, the attacker can create an admin account for themselves, gaining full control over the application.

Preventing BFLA Vulnerabilities

To effectively protect against Broken Function Level Authorisation (BFLA), several key strategies should be implemented:

Implement Robust Role-Based Access Control (RBAC)

RBAC is crucial for preventing BFLA by ensuring that permissions are clearly defined and enforced based on user roles. This requires carefully establishing user roles and permissions and constantly evaluating and upgrading them to reflect organisational changes.

Function-Level Validation

Proper function-level validation is essential in mitigating BFLA risks. It involves verifying user permissions before processing an action or function request. Implementing comprehensive permission checks throughout the application helps ensure that users can only access functions appropriate to their roles.

Secure Session Management

Effective session management is critical in preventing unauthorised access that could lead to BFLA. This includes applying timeouts for inactive sessions, securely managing session tokens and encrypting session data. These measures help restrict function access to legitimately logged-in users with appropriate permissions.

Centralised Access Management

A centralised access management system ensures consistent enforcement of authorisation policies across the application. This approach simplifies the management of roles and permissions, making it easier to update and enforce policies uniformly.

Minimise Client-Side Authorisation

Relying on client-side authorisation is risky as it can be easily manipulated. To minimise BFLA risks, ensure that all critical authorisation checks are performed on the server side. Limit the amount of sensitive data sent to the client to reduce the risk of exposure or tampering.

API Security Testing for BFLA

1. Manual Testing: Identify and test endpoints with specific functionalities. Use tools like BurpSuite to analyse requests and responses, testing different user roles and HTTP methods.
2. Automated Testing: Employ specialised tools for efficient, large-scale API security testing. Integrate continuous testing into the development pipeline to catch BFLA vulnerabilities early.
3. Penetration Testing: Perform penetration testing to identify possible vulnerabilities in authorisation methods and to replicate real-world attacks.

Combining these prevention strategies and testing methods creates a robust defence against BFLA, enhancing overall API security. Regular testing and updates are crucial to maintain protection against evolving threats in API security.

BFLA Incidents: The Equifax Data Breach

To understand the real-world impact of BFLA, consider the Equifax data breach of 2017. This incident exposed the personal information of 143 million individuals. 

The breach was partly due to a vulnerability in the Apache Struts API framework and a broken function level authorisation in Equifax's web application. Using these vulnerabilities, attackers bypassed the defective BFLA method to obtain sensitive data. 

This event, along with the Broken Object Level Authorisation API example of the BOLA attack at Russia’s central bank back in 2016, highlights the need for API security and function-level authorisation.

Best Practices for BFLA Prevention

To wrap up, here are some key best practices for preventing Broken Function Level Authorisation:

1. Implement the Principle of Least Privilege: Grant just the permissions needed for tasks.
2. Use a Whitelist Approach: Define allowed HTTP methods for each functionality and restrict all others.
3. Regularly Audit and Update Access Controls: As your application evolves, make sure your authorisation mechanisms keep pace.
4. Implement Strong Authentication: Use multi-factor authentication, especially for sensitive operations.
5. Conduct Thorough Testing: Regularly test your APIs against function-level authorisation vulnerabilities.
6. Educate Developers: Ensure your development team understands the importance of proper authorisation checks.
7. Use Security Tools: Leverage automated security testing tools to catch potential BFLA vulnerabilities early.

Conclusion

Broken Function Level Authorisation is a serious security vulnerability that can have far-reaching consequences for applications and APIs. A related issue is Broken Object Level Authorisation, which can also lead to unauthorised access. 

By prioritising API security and addressing issues like BFLA and object-level authorisation flaws, we can build more secure and reliable applications for everyone.

At InstaSafe, we believe in simplifying security without compromising protection. Our Zero Trust Network Access or ZTNA solution offers a seamless way to safeguard your digital assets 24/7.

Frequently Asked Questions (FAQs)

1. What are some root causes of BFLA?

Poor access control design, inadequate permission checks, reliance on client-side authorisation, and inconsistent enforcement of authorisation policies across different application layers often cause BFLA.

2. What’s the best way to detect BFLA vulnerability with API?

The most effective way to detect BFLA in APIs is through comprehensive API security testing. This includes automated scanning, manual penetration testing, and regularly attempting to access privileged functions with lower-level user accounts.

3. What is missing or broken authentication?

Missing or broken authentication occurs when an application fails to properly verify user identities. This can let people who aren't supposed to be there get access to private data or functions, usually because of poor session management or weak password rules.