APIs form a core component to the design of modern applications. However, by only focusing on authentication ("Who Are You?"), you could be overlooking a more serious issue, authorization ("What Am I Allowed To Do?").
When it's possible for users of your application to access items outside of their permissions, this is referred to as broken authorization. The issue with broken authorization is that a user does not require hacking skills in order to gain unauthorized access to data or functions.
API Broken Authorization - How They Work
Even big companies are making this mistake. A few example cases of broken authorization include:
1. IDOR (Insecure Direct Object References) - If a user has access to a resource, they can access it by inputting your resource’s ID.
2. Role Checks Are Only Performed on the Front End - Just because buttons are hidden from view does not mean that API calls can’t be made.
3. Internal Endpoints Are Not Checked - Endpoints that seem to be used exclusively for internal purposes can be accessed externally.
4. Tokens Are Too Broad - Access to the same token can be from Read only all the way up through Admin.
A real example of the problem: At one point, support agents were able to access the billing info of every single customer simply by changing the user ID in the request. Although there was no option available to the support agent in the UI, the system still allowed access to the billing information because it was not enforcing ownership at the back end.
Why Does This Problem Continue To Exist?
1. Developers typically assume that unauthorized API requests will be filtered out at the front end.
2. Internal API endpoints are viewed as "locked down" because "no one knows they exist."
3. Authorization logic is not consistent across endpoints, or is absent altogether.
Attackers can easily exploit broken authorization without using sophisticated methods. Attackers will typically:
1. Log in as a normal user
2. View their requests in the browser via the API or by using a proxy
3. Change IDs, roles, or parameters
4. View resources or perform actions they should not have access to
Contents that may leak sensitive information to performing actions as an admin frequently go unnoticed until it is too late.
How do companies protect their APIs?
1. Every request must be authorized. Do not depend on the front end or assume the internal is safe.
2. Users should only have access to the resources they own. Users must verify their ownership of any resources they want to act on.
3. Deny by default. Only allow permitted actions.
4. Test proactively, such as by changing IDs and roles and parameters; curiosity will prosper.
5. Monitor logs to detect patterns of requests that indicate someone might be testing to learn about how your API works.
Broken authorization is dangerous. It doesn’t crash systems or trigger alarms, yet it’s the root cause of many API breaches.
Companies that enforce strict access controls, test endpoints rigorously, and monitor suspicious activity dramatically reduce risk and sleep better at night knowing their APIs aren’t handing out “keys to the kingdom” by mistake.
December 19, 2025
December 19, 2025
December 19, 2025
February 19, 2025
October 16, 2024
October 02, 2024
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
