Client-Side Only Authorization

Description

If the app enforces roles/permissions only on the client (e.g., hiding admin features) and the backend does not verify authorization for each request, attackers can manipulate API calls to access protected resources.

Examples

Toggle Privileged Flags in Requests

Intercept with a proxy and modify parameters:

mitmproxy  # capture a normal request
# Change fields like {"is_admin":false} -> true or alter userId in path
curl -H "Authorization: Bearer <TOKEN>" -X POST \
  https://api.example.com/admin/users/123/disable

If the backend accepts the request without server‑side checks, authorization is broken.

Remediation

Enforce authorization server‑side
- Evaluate user roles/ownership on every request; ignore client flags.
Defence in depth
- Sign sensitive parameters, bind to session, and validate with HMACs where appropriate.
Logging and detection
- Alert on privilege‑escalating actions and mismatched user identifiers in requests.

Haxoris Wiki

Client-Side Only Authorization

Description

Examples

Toggle Privileged Flags in Requests

Remediation