Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Vertical Broken Function Level Authorization (BFLA) - Vulnerability Database

Vertical Broken Function Level Authorization (BFLA)

Description

Vertical Broken Function Level Authorization (BFLA) occurs when an application fails to enforce proper authorization checks between users of different privilege levels. Unlike horizontal authorization issues where users access each other's resources at the same level, vertical BFLA allows lower-privileged users (such as regular users) to access functions or resources intended only for higher-privileged users (such as administrators). Attackers exploit this by directly calling privileged API endpoints or functions without the application verifying their authorization level.

Remediation

Implement comprehensive authorization controls to prevent vertical privilege escalation:

1. Enforce Authorization Checks on Every Request:
Verify user permissions for each function call, not just at the UI level. Never rely on client-side controls alone.

// Example: Node.js/Express middleware
function requireAdmin(req, res, next) {
  if (!req.user || req.user.role !== 'admin') {
    return res.status(403).json({ error: 'Forbidden: Admin access required' });
  }
  next();
}

app.delete('/api/users/:id', requireAdmin, deleteUser);

2. Implement Role-Based Access Control (RBAC):
Define clear roles and permissions, and centralize authorization logic in a dedicated service or middleware layer.
// Example: Python/Flask with decorator
from functools import wraps

def requires_role(required_role):
    def decorator(f):
        @wraps(f)
        def decorated_function(*args, **kwargs):
            if not current_user.has_role(required_role):
                abort(403, description="Insufficient privileges")
            return f(*args, **kwargs)
        return decorated_function
    return decorator

@app.route('/admin/settings', methods=['POST'])
@requires_role('admin')
def update_settings():
    # Admin-only function

3. Apply the Principle of Least Privilege:
Grant users only the minimum permissions necessary for their role. Default to denying access unless explicitly permitted.

4. Validate Authorization Server-Side:
Always perform authorization checks on the backend. Never trust client-side role information or hidden UI elements to enforce security.

5. Conduct Regular Security Testing:
Perform penetration testing and automated security scans specifically targeting authorization flaws. Test with users of different privilege levels to identify gaps in access controls.

References

API5:2023 Broken Function Level Authorization

Related Vulnerabilities

Horizontal Broken Function Level Authorization (BFLA) High
Common tags: BOLA API BFLA
GraphQL Unauthenticated Mutation Detected Medium
Common tags: API BFLA
Horizontal IDOR/BOLA (Broken Object Level Authorization) High
Common tags: BOLA
Vertical IDOR/BOLA (Broken Object Level Authorization) High
Common tags: BOLA

Severity

High

Classification

CWE-639
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Tags

BOLA
API BFLA