API5:2023 - Broken Function Level Authorization

Teams often protect UI routes but forget direct API endpoint protection, especially for internal or admin functions. Attackers can call these endpoints directly if role checks are not enforced server-side.

• Non-admin users invoking administrative actions.
• Unauthorized changes to business-critical settings.
• Privilege escalation from basic accounts.

• Enforce RBAC/ABAC at the API handler or policy layer.
• Default-deny privileged routes until explicit permission is granted.
• Separate public/user/admin routes and permission sets clearly.
• Add authorization regression tests for every privileged endpoint.