Broken Function Level Authorization leads to disclosing PII Information of all company users
بسم الله الرحمن الرحيم
What is PII?
Personal data, also known as personal information or personally identifiable information, is any information related to an identifiable person.
I found a BFLA (Broken Function Level Authorization) vulnerability during API pen testing in which PII information was disclosed to all company users.
What is BFLA (Broken Function Level Authorization)?
Broken function-level authorization is similar to Broken object-level authorization. Both relate to attackers accessing API endpoints that they are not authorized to, due to inadequate or improper authorization mechanisms to validate user requests.
I do API penetration testing through the Postman tool. I configured a Postman tool with the burp suite and I forwarded all traffic to the burp suite through Postman. I attached a video link about how you can configure the Postman with the burp suite.
My company gave me an API collection for pen testing. I can't disclose the company URL because it is confidential. I just go to the Postman and import API collection into the Postman. I saw a PATCH request in an API collection for a User update profile.
I just intercept the burp and send a request to the Burp suite.
I just remove the body parameter username of a request and remove the user-id from the URL and change the request PATCH to GET .
Forward the modified request to the repeater tab and I saw a response with PII information disclosed to all company users.
No reward for this finding because this is my full-time job :)
Thanks for reading this article.
