BROKEN FUNCTION LEVEL AUTHORIZATION / BFLA
defined.

What is Broken Function Level Authorization (BFLA)?

BFLA is the function-level cousin of BOLA. Where BOLA is “you can read another user’s data,” BFLA is “you can call admin endpoints.” Classic patterns: hidden endpoints discovered via JS bundle analysis, role enforcement only on the front end, and middleware that authenticates but doesn’t authorize.

Defence: declarative role checks at the route layer, plus negative test cases in CI that confirm a low-privilege user gets 403 from every admin endpoint.

Related terms.

• Broken Object Level Authorization (BOLA)
• Insecure Direct Object Reference (IDOR)
• JSON Web Token (JWT)
• OWASP Top 10

Where this shows up.

See our web application penetration testing, API security testing, network penetration testing, and cloud security audit services for how we test for and defend against this class of issue.