Broken Access Control in an API Allowed Unauthorized Access to User and Admin Functions

Introduction

During a security review of a small web application, I discovered a serious API authorization issue that allowed a normal authenticated user to access sensitive data and perform actions that should have been restricted to administrators only.

For privacy and responsible disclosure reasons, all identifying details have been removed from this writeup. The domain, real endpoints, tokens, user data, request bodies, and screenshots have been intentionally redacted or replaced with safe examples.

Vulnerability Summary

The application exposed several API endpoints that did not properly enforce authorization on the server side.

Although the user interface showed different features based on the user role, the backend API accepted requests from a normal user and returned or modified sensitive resources.

In practice, this meant that a low-privileged account could interact with functionality that should only be available to administrators.

Affected Area

The issue affected multiple API features, including:

• Accessing sensitive user-related data
• Accessing administrative information
• Creating or modifying orders
• Modifying points or balances
• Creating or modifying products
• Performing actions that should require admin privileges

The real endpoints are not included in this writeup to avoid exposing the affected application.

Proof of Concept — Redacted

Impact

The impact was high because the issue was not limited to information disclosure only. It also allowed unauthorized state-changing actions.

A malicious user could potentially:

• View sensitive user information
• Access administrative data
• Create fake orders
• Modify points or balances
• Add or modify products
• Abuse business logic
• Damage the integrity of the application's data

Even though the application was small, this could lead to financial loss, manipulation of business data, loss of user trust, and unauthorized control over core platform operations.

Root Cause

The main issue was missing or insufficient server-side authorization.

The application appeared to rely on frontend restrictions, such as hiding admin buttons or pages from normal users. However, frontend controls are not a security boundary.

Every sensitive API endpoint must verify the authenticated user's permissions on the backend before returning data or performing any action.

Recommended Remediation

• Enforce server-side authorization on every sensitive endpoint.
• Do not trust role values sent from the client.
• Read the authenticated user's role from the backend/session/database.
• Return 403 Forbidden for unauthorized actions.
• Add ownership checks for user-owned resources.
• Prevent mass assignment of sensitive fields like role, points, balance, user_id, order_status.
• Add automated authorization tests.

if authenticated_user.role != "super_admin": return 403 Forbidden

The role should be read from a trusted backend source, not from client-controlled request data.

Responsible Disclosure Note

All sensitive details have been removed from this writeup to protect the affected application and its users.

All screenshots included in this writeup are redacted and do not expose real user data, tokens, domains, endpoints, or private business information.

The goal of this writeup is educational: to explain the risk of broken access control in APIs and how developers can prevent it.