1 hour 43 minutes

Video Transcription

Hey, everyone, welcome back to the course. So in this video, we're gonna talk about the fifth item on the wasp AP I Security top 10 which is broken function level authorization.
We're gonna talk about what it is, and we'll also talk about ways you can mitigate against it.
So what is broken function level authorization will. Basically, this is where the a p I realize on the client to use user level or admin level AP eyes. And what happens is the attacker figures out
the hidden AP admin AP I methods and then they can invoke those directly.
So what's taking exact Look at an example of what that might look like. So this might be a This could be a u R l right here and what the attacker does is then they change the parameter to say, add men's and then also all and so basically they're taking control and invoking themselves as an administrator to gain further access.
So how can we actually prevent against this? Were mitigated? Well, number one don't just rely on the app itself to enforce the administrator access and set specific roles. So grant that access based on rules to role based access control.
Also design and test the authorization to make sure it's actually functioning properly before you're pushing out those APS
And as he'd as a default is kind of a last measure. Deny all by default.
So in this video, we just talked about what broken functional level authorization is. We also talked about some ways to mitigate it. Now you may recall ah, few years back around the Gator Children Smartwatch. And this is an example of when one of many issues with that smartwatch but broken functional level authorization is one of the many ways
that Attackers could have potentially exploited that watch
to get more data about your kid
so very important that we focus on broken function level authorization and all of these ap I security issues.

Up Next

Introduction to the OWASP API Security Top 10

The Introduction to the OWASP API Security Top 10 course will teach students why API security is needed. Students will get a brief refresher on the CIA triad and AAA, then move into learning about the OWASP Top 10 from an API security perspective.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor