Broken Access Control: Missing Function Level Access Control (MFLAC)
Missing function level authorization security vulnerability occurs when there are insufficient authorization checks for sensitive request handlers. This common vulnerability allows malicious users to access restricted resources by escalating their permissions at the function level. Missing Function Level Access Control (MFLAC) is similar to IDOR but this time, broken access control is on functions rather than objects.
Exploitation
This webapp implements weak access control on a functions, which can be exploited to abuse administrative function Delete to delete user’s account. Delete function is meant to be used by Administrator.
Let’s login as Tom with the provided password tom.
As you can see we have two functions here, SearchStaff and ViewProfile. Let’s click on SearchStaff and intercept the request in burpsuite.
Here, it looks like the value of action which is SearchStaff, is the name of a function to be invoked in the backend. By examining the value, we will notice that it is in Camelcase style and it startswith the verb which reveals the purpose of the function. For example, SearchStaff , startswith verb Search which means the function will search for Staff. If the function was to delete a staff, the value would have been something like DeleteStaff.
Let’s click on ViewProfile and intercept the request in burpsuite.
As you can see, from the value ViewProfile we will understand that the purpose of the function is to view user’s profile. We will forward the request and see what will can get.
Here we have the profile of tom.
What if there is a hidden function that can be used to delete user’s profile? If so, then we can be able to predict the name of the function as something like DeleteProfile since all the function use Camelcase style. To test this, we will replace ViewProfile with DeleteProfile and see if we can delete user’s profile.
Let’s forward the request.
Great!, We were able to use Delete function which was meant to be used by Administrator.