exploiting-broken-function-level-authorization
by mukul975The exploiting-broken-function-level-authorization skill helps security auditors test APIs for Broken Function Level Authorization (BFLA). It focuses on discovering privileged endpoints, checking low-privilege access, and validating method or path bypasses with practical, evidence-based workflow guidance.
This skill scores 73/100, which means it is listable and likely useful for agents, but directory users should expect a somewhat security-lab-focused workflow rather than a polished end-to-end operator guide. The repository gives enough concrete BFLA testing structure to justify installation, though a few adoption details still require judgment.
- Explicit trigger and scope for OWASP API5:2023 Broken Function Level Authorization testing, including admin endpoint bypass and privilege-escalation use cases.
- Substantial operational content: a detailed skill body, API reference examples, and a Python script that tests endpoints, tokens, and HTTP method switching.
- Good install-decision signal quality: valid frontmatter, no placeholder markers, repository/file references, and clear misuse warning about written authorization.
- Workflow is oriented toward testing patterns and examples, but the file tree shows no install command and limited support assets, so setup may require manual interpretation.
- The `test` experimental signal suggests this may be more of a security exercise or reference skill than a fully packaged production-ready tool.
Overview of exploiting-broken-function-level-authorization skill
The exploiting-broken-function-level-authorization skill helps you test whether low-privilege users can call admin or privileged API functions they should not reach. It is aimed at security auditors, API testers, and red teamers who need a practical BFLA workflow rather than a generic prompt. In plain terms, this skill is for confirming whether function-level authorization breaks when you try direct endpoint access, method changes, or parameter manipulation.
What users usually care about is speed with confidence: find privileged endpoints, test them safely with restricted credentials, and learn whether the API enforces authorization consistently across routes and HTTP methods. The exploiting-broken-function-level-authorization skill is most useful when you already have a target API, a low-privilege token, and a reason to verify OWASP API5:2023 exposure.
What it is good for in security audits
Use this skill for BFLA checks, admin endpoint discovery, and privilege boundary validation. It fits audits where you need evidence of vertical privilege escalation, especially when documentation, OpenAPI specs, or front-end code may reveal routes that ordinary users should not invoke.
What makes it different
This skill is not just “try random admin URLs.” It centers the workflow around endpoint discovery, low-privilege replay, and method variation, which is where BFLA issues often hide. The included references and script support a more repeatable process than a one-off prompt.
When it is a poor fit
Do not use it as a generic authorization scanner for every access-control problem. It is narrower than full RBAC review, session testing, or business-logic abuse analysis. It also should not be used without written authorization.
How to Use exploiting-broken-function-level-authorization skill
Install context and first read path
For exploiting-broken-function-level-authorization install, add the skill into your agent workspace, then read SKILL.md first, followed by references/api-reference.md and scripts/agent.py. Those two support files matter because they show the test flow, endpoint patterns, and the script’s expected inputs better than the top-level description alone.
Turn a rough goal into a useful prompt
Good input tells the skill what target, auth context, and scope you have. A weak ask is “test this API for auth issues.” A stronger prompt is: “Use exploiting-broken-function-level-authorization to review this REST API for BFLA. I have a low-privilege bearer token, an OpenAPI spec, and a staging base URL. Focus on admin endpoints, HTTP method switching, and any path patterns that expose privileged functions.”
Suggested workflow for better output
Start by listing privileged surfaces: OpenAPI paths, front-end network calls, source-embedded routes, and any known admin pages. Then ask the skill to compare those endpoints against a low-privilege account and note which methods or paths respond differently. This exploiting-broken-function-level-authorization usage pattern is more effective than asking for a broad vulnerability report because it anchors the test in concrete routes.
Practical repository files to inspect first
Read references/api-reference.md for the testing sequence and examples of method switching. Review scripts/agent.py if you want to understand how endpoint checks are automated and what the script considers “accessible.” If you need to adapt the skill to your own environment, these files tell you what inputs matter most: base URL, token, endpoint list, and HTTP method set.
exploiting-broken-function-level-authorization skill FAQ
Is this only for API5:2023 BFLA?
Yes, the skill is centered on OWASP API5:2023 Broken Function Level Authorization. It is not a general fuzzing tool, and it is not meant to replace broader API security testing.
Do I need code or a spec to use it well?
No, but having an OpenAPI spec, front-end source, or known endpoint list makes the results much better. The skill can still work from a base URL plus a low-privilege token, but discovery is faster and more accurate when you provide real routes.
Is the skill beginner-friendly?
It is usable by beginners who understand bearer tokens, API routes, and HTTP methods. The main limitation is that BFLA testing requires careful scoping and judgment, so the skill works best when the user can distinguish expected admin behavior from accidental exposure.
When should I not use it?
Do not use exploiting-broken-function-level-authorization if you do not have permission to test the target, or if you only need a high-level access-control checklist. It is also a weaker fit when the issue is authentication failure, CSRF, or object-level authorization rather than function-level authorization.
How to Improve exploiting-broken-function-level-authorization skill
Give it stronger target context
The best improvement is to provide more than a URL. Include auth role, token type, known admin features, and any suspicious paths you already found. For exploiting-broken-function-level-authorization for Security Audit, that context lets the skill focus on likely privileged surfaces instead of wasting effort on public routes.
Share concrete endpoints and method behavior
If you already know that GET /api/admin/users returns 403, say so and ask the skill to test alternate methods like POST, PUT, or PATCH. If a UI button hits /api/v1/users/export, include that path too. These details help the skill detect bypasses instead of restating obvious blocks.
Ask for evidence, not just a verdict
Request a result format that includes endpoint, method, token role, status code, and why the request is suspicious. That makes the output easier to verify and reuse in a report. The more the skill can tie a finding to a specific route and method change, the more useful the exploiting-broken-function-level-authorization guide becomes.
Iterate after the first pass
If the first run is inconclusive, narrow the scope to one API area, one role, or one route family. Then rerun with additional candidate endpoints from docs, JavaScript, or proxy logs. This is the fastest way to improve signal without turning the task into a broad security assessment.