Original Post: Broken Function Level Authorization — Web API Security Champion
The content discusses a case study on the "Damn Vulnerable RESTaurant API," specifically focusing on a security vulnerability known as Broken Function Level Authorization. This vulnerability exists in the /users/update_role API endpoint, which allows restaurant chefs to update user roles. However, the current implementation lacks proper validation of the current_user role, enabling any authenticated user to change another user’s role to "Employee" without appropriate authorization checks. Although the system restricts assigning the "Chef" role, this security loophole still poses a significant risk. The study uses a FastAPI-based open-source project to illustrate this vulnerability practically.
Go here to read the Original Post