Access Control: LAB: Role Based Access Control

Stage 1

Goal: 

At this stage, Tom is regular user with only view permission for staff list page, we will explore to find out how we can have Tom's profile deleted using his own account. 

Method: 

1. Start Burp Suite then Log on using jerry's ID (Jerry Mouse /jerry). 

2. The Screen will show the value for profile deletion is  "DeleteProfile"

3. Next step start intercept and  login using Tom's account and view Tom's profile

4. Now let's change it to "DeleteProfile" and forward the request.

5. Now We completed stage 1


Stage 2

Goal: 

To add a fix to deny unauthorized access to the Delete function.

Method: 

1. Use Eclipse or any prefer tools  to modify RoleBasedAccessControl.java, please reference below source class info. 

Lesson menu item

Lesson project

Lesson source class

RoleBasedAccessControl

role-based-access-control

org.owasp.webgoat.plugin.rollbased.RoleBasedAccessControl.java

 

if(!isAuthorized(s, getUserId(s),requestedActionName)){

throw new UnauthenticatedException();

}

2. Once complete run Maven to generate the packages

mvn package

3. Now rerun Stage 1 , you will receive login failed error message as shown screenshot below|

Stage 3: Breaking Data Layer Access Control.

Goal: 

View another employee's profile by exploiting access control weakness. 

Method: 

1. Start Burp Suite then Log on using Tom's ID (Tom Cat /tom). 

2. Click View Profile

3. Now replace 105 with 106 to view manager's profile

Stage 4: Add Data Layer Access Control.

Goal: 

To add a fix to deny unauthorized access to this data. Once done retest stage 3, and verify that access to other employee's profiles is properly denied.

Method: 

1. Use Eclipse or any prefer tools  to modify RoleBasedAccessControl.java, please reference below source class info. 

 

Lesson menu item

Lesson project

Lesson source class

RoleBasedAccessControl

role-based-access-control

org.owasp.webgoat.plugin.rollbased.RoleBasedAccessControl.java

 

if(!isAuthorized(s, getUserId(s),requestedActionName)){

throw new UnauthenticatedException();

}

In addition to the fix added in stage 2 above, we will need to add below to prevent unauthorized function use. 

 

int userId = Integer.parseInt((String) s.getRequest().getSession().getAttribute(getLessonName() + "." + RoleBasedAccessControl.USER_ID));

int employeeId = s.getParser().getIntParameter(RoleBasedAccessControl.EMPLOYEE_ID);

if (!action.isAuthorizedForEmployee(s, userId, employeeId)){

throw new UnauthenticatedException();

}

2. Once complete run Maven to generate the packages

mvn package

3. Now rerun Stage 1 , you will receive login failed error message as shown screenshot below

Please publish modules in offcanvas position.