<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab Role Based Access Control Stage4</title>
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>

<p><b>Concept / Topic To Teach:</b><br/>
In role-based access control scheme, a role represents 
a set of access permissions and privileges. A user can be 
assigned one or more roles. A role-based access control 
normally consists of two parts: role permission management 
and role assignment. A broken role-based access 
control scheme might allow a user to perform accesses 
that are not allowed by his/her assigned roles, or 
somehow obtain unauthorized roles.
</p> 

<p><b>General Goal(s):</b><br/>
Your goal is to explore the access control 
rules that govern this site. Each role has permission to 
certain resources (A-F). Each user is assigned one or more roles. 
Only the user with the [Admin] role should have access 
to the 'F' resources. In a successful attack, a user doesn't 
have the [Admin] role can access resource F.
</p>

<p>
<b>Solution:</b><br/>
You have to be sure that the user is AUTHORIZED to do an action and that
he is authorized to do this action on a certain employee! So you have to check for his authorization.
You have to write some code in the class 
org.owasp.webgoat.lessons.RoleBasedAccesControl.RoleBasedAccessControl.java.
Alter the handleRequest method as there is happening the dispatching.
Action has already a method called isAuthorizedForEmployee which you can use:
</p>
<pre><code>
//***************CODE HERE*************************
if(!isAuthorized(s, userId, requestedActionName))
{
  throw new UnauthorizedException();
}
if(!action.isAuthorizedForEmployee(s, userId, employeeId))
{
  throw new UnauthorizedException();
}						
//*************************************************
</code></pre>
Try the attack again and you will see that the authorization fails and the
lesson is completed.

</body>
</html>