← Back to All Scanners
API SecurityHigh Severity

API Broken Function Level Auth Scanner

Identifies broken function level authorization in APIs.

Try This Scanner

What is API Broken Function Level Auth?

Broken Function Level Authorization occurs when APIs don't properly restrict access to administrative or privileged functions. Regular users can access admin endpoints, delete operations, or sensitive functions by simply making requests—the API doesn't verify the user has permission for that action.

Why is This Important?

Function-level auth bypass enables regular users to perform admin actions: deleting data, modifying configurations, accessing reports, or managing other users. It's essentially vertical privilege escalation through the API, potentially giving full control to any authenticated user.

How It Works

1. API Discovery

Automatically discovers API endpoints, methods, parameters, and authentication mechanisms from documentation or traffic.

2. Security Testing

Tests for OWASP API Top 10 vulnerabilities including broken authentication, excessive data exposure, and injection flaws.

3. Compliance Validation

Validates API security against industry standards with detailed findings and remediation guidance.

Key Capabilities

Complete API security coverage aligned with OWASP API Security Top 10 and industry best practices.

  • Automatic API endpoint discovery
  • Authentication and authorization testing
  • Rate limiting and resource exhaustion checks
  • Data exposure and sensitive info detection
  • API versioning and deprecation analysis

Frequently Asked Questions

How do I test for broken function-level authorization?

Testing approach: access admin endpoints with regular user tokens, test DELETE/PUT/POST on resources as read-only user, try admin paths (/admin/, /api/admin/), test with different roles and verify proper restrictions, and check if function authorization matches documentation.

Where is function-level auth commonly broken?

Common locations: admin endpoints assumed unreachable, internal API endpoints, bulk operations (export, delete all), management functions (user creation, role assignment), and debug/maintenance endpoints left exposed.

Why does function-level auth fail?

Failures occur because: developers rely on UI hiding buttons, same endpoints serve different roles without checks, authorization is applied inconsistently, internal APIs trusted without validation, and admin functions added without proper security review.

How do I implement proper function-level authorization?

Implementation: define roles and permissions explicitly, apply authorization middleware to all endpoints, verify permissions match action type (not just authentication), use deny-by-default for sensitive operations, separate admin and user API paths, and regularly audit function access.

Related Scanners

API Authentication BypassCritical
Learn more →
API Rate LimitingMedium
Learn more →
API Mass AssignmentHigh
Learn more →
API Broken Object Level AuthHigh
Learn more →

Ready to secure your application?

Start testing for api broken function level auth vulnerabilities today.

Get Started Free