In September 2018, security researcher Jon Bottarini made a discovery while testing New Relic's Synthetics monitoring platform. Despite being logged in as a restricted user without administrative privileges, he found he could modify critical alert configurations on synthetic monitors—changes that should have required elevated permissions. With a simple API call manipulation, Bottarini could alter notification channels, disable alerts, or modify threshold values that determined when incidents triggered. The vulnerability meant that any authenticated user, regardless of their role, could potentially sabotage monitoring systems that organizations relied upon to detect outages and performance issues. New Relic's response was swift, but the incident highlighted a pervasive security flaw that continues to plague modern APIs: broken function-level authorization.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Broken Function-Level Authorization

  • Roman Canlas

摘要

In September 2018, security researcher Jon Bottarini made a discovery while testing New Relic's Synthetics monitoring platform. Despite being logged in as a restricted user without administrative privileges, he found he could modify critical alert configurations on synthetic monitors—changes that should have required elevated permissions. With a simple API call manipulation, Bottarini could alter notification channels, disable alerts, or modify threshold values that determined when incidents triggered. The vulnerability meant that any authenticated user, regardless of their role, could potentially sabotage monitoring systems that organizations relied upon to detect outages and performance issues. New Relic's response was swift, but the incident highlighted a pervasive security flaw that continues to plague modern APIs: broken function-level authorization.