Broken Function Level Authorization (BFLA) is a flaw where a user can access or trigger functions they should not be permitted to use. It matters because APIs and applications often protect data objects better than the powerful actions those objects can invoke.
What is Broken Function Level Authorization (BFLA)?
BFLA occurs when server-side logic fails to enforce authorization on administrative, privileged, or otherwise restricted operations. Attackers may discover hidden or lightly documented endpoints and call them directly if checks are missing or inconsistent.
What Broken Function Level Authorization (BFLA) Commonly Supports
Common uses include API security review, authorization testing, abuse-case analysis, and secure design validation.
Broken Function Level Authorization (BFLA) vs. Consistent Server-Side Function Authorization
BFLA exposes functions without proper permission checks. Consistent authorization ensures every sensitive function verifies who is calling and what they may do.
Frequently Asked Questions
Why is BFLA common?
Because teams sometimes assume UI visibility or route obscurity is enough to protect sensitive actions.
How is BFLA different from object authorization problems?
BFLA is about unauthorized access to functions or actions, while object-level issues focus more on access to specific records or resources.
