API5:2023 Broken Function Level Authorization

Privileged endpoints (admin panels, billing controls, user management) are reachable by lower-privilege roles. Adjacent to BOLA but at the function level rather than the object level.

What Vulkro detects

Vulkro detects admin-pattern URLs and handler names that lack role assertions in the pipeline. The role-check is identified by middleware imports, dependency declarations, or decorators referencing known guard names.

Non-compliant code (examples)

NestJS — admin route, no role guard

@Controller('admin')
export class AdminController {
  @Delete('users/:id')
  async deleteUser(@Param('id') id: string) {
    return this.users.deleteById(id);  // any authenticated caller reaches this
  }
}

Compliant code (examples)

NestJS — admin-only guard on the controller

@UseGuards(JwtAuthGuard, AdminGuard)
@Controller('admin')
export class AdminController {
  @Delete('users/:id')
  async deleteUser(@Param('id') id: string) {
    return this.users.deleteById(id);
  }
}

See also

• Confidence model - what High, Medium, and Low mean for findings in this category.
• Safety - what Vulkro does and does not access on your machine.

References

• CWE-285
• CWE-863
• OWASP API5:2023

---

This page is generated by vulkro rules export <out-dir> from the catalog in src/rule_docs.rs. Edits made by hand are overwritten on the next regeneration.