Broken Function Level Authorization (API BFLA)
Admin-only HTTP method or function is reachable by a regular user (PUT/DELETE/PATCH, /admin/users).
§ Where this technique fits
W-BFLA is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 4 approved dossiers in the registry, typically at step 4.3 on average.
§ Dossiers chaining this technique
- step 3 / 5
Server-side prototype pollution → auth bypass → RCE
Merge / clone helper on user input pollutes Object.prototype. A later code path reads `isAdmin` from a fresh object and gets true — then a child-process gadget reaches RCE.
- step 4 / 5
SAML signature wrapping (XSW) → impersonate admin
Capture a legitimate SAML response. Re-arrange the XML so the IdP's signature still validates against the original assertion, but the SP parses an attacker-injected assertion claiming Admin.
- step 5 / 6
HTTP request smuggling (CL.TE) → admin panel bypass
Frontend uses Content-Length, backend uses Transfer-Encoding. Smuggle a request whose path bypasses the frontend's authentication checks.
- step 5 / 6
JWT RS256 → HS256 algorithm confusion → admin
Server verifies any algorithm declared in the JWT header. Sign an HS256 token using the public RSA key as the HMAC secret — server accepts it as legit.
§ What commonly comes next
- 01Exfiltration Over C2 Channelseen 3×T1041 · Exfiltration
- 02Server-Side Prototype Pollution → RCEseen 1×W-PROTOTYPE-SERVER · Execution