Member-only story
Fixing OWASP API5:2023 — Broken Function Level Authorization in Symfony 7
Protecting sensitive administrative or role-specific functions
14 min readApr 5, 2025
Introduction
So far in our exploration of the OWASP API Security Top 10 with Symfony 7, we’ve looked at authentication and controlling access to specific data properties.
Now, we tackle API5:2023 — Broken Function Level Authorization. This vulnerability occurs when an API doesn’t properly restrict access to specific actions or functions based on the user’s permissions or roles.
Just because a user is logged in (authenticated) doesn’t mean they should be allowed to do everything the API offers. Admins need different capabilities than regular users.
This step-by-step guide will show you:
- How to build a simple Symfony 7 JSON API with admin-only functions that are initially vulnerable to API5.
- What does Broken Function Level Authorization mean, and why is it a critical risk?
- How to implement fixes using Symfony’s powerful security features (specifically role-based access control).
Let’s ensure only the right users can perform sensitive actions!
