API5:2023 Broken Function Level Authorization - Detection Comment

[ynvb]

The initial table (middle raw) states that "Detection relies on proper logging and monitoring.". Without going into specific vendor solutions and detections (which I do not believe should be encouraged by OWASP in general), several other tactics could mitigate this issue. One example would be to baseline the common Request types accepted by an endpoint and look for deviations. And yes, you could flag this as "Monitoring," but this is not the first thing you think about when thinking about "monitoring". My point here is that:

1. Either OWASP decides to elaborate more regarding the specific solutions, in which case this statement should be expanded to be more inclusive and include more tactics for detection (IMO not such a good option, since it can be endless and might create an unnecessary bias to this solution or the other)
2. Remove this statement altogether, as it is already covered in the "How to Prevent" section

[planetlevel]

The "detection" aspect of this table is intended to help think about how difficult it would be for an attacker to detect this problem in an application. That's what drives the risk. The detection of attempts to exploit this vulnerability using logging and monitoring are irrelevent.

[ynvb]

Good point. Agreed. This way or the other, I would personally recommend simply removing this sentence, as I believe that in the best-case scenario, it doesn't really add to the description, and might just create unnecessary confusion here.

[LaurentCB]

Remove this statement altogether, as it is already covered in the "How to Prevent" section

I don't see it

( same apply to others pages in the top 10, I'm not sure it is mentioned once in a "How to prevent section" even if it is mentioned elsewhere throughout the document )

FTR it was an all by itself part of the 2019 API top10 https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xaa-insufficient-logging-monitoring.md