Solution Lab Role Based Access Control Stage4

Lesson Plan Title: How to Perform Cross Site Scripting (XSS)

Concept / Topic To Teach:
In role-based access control scheme, a role represents a set of access permissions and privileges. A user can be assigned one or more roles. A role-based access control normally consists of two parts: role permission management and role assignment. A broken role-based access control scheme might allow a user to perform accesses that are not allowed by his/her assigned roles, or somehow obtain unauthorized roles.

General Goal(s):
Your goal is to explore the access control rules that govern this site. Each role has permission to certain resources (A-F). Each user is assigned one or more roles. Only the user with the [Admin] role should have access to the 'F' resources. In a successful attack, a user doesn't have the [Admin] role can access resource F.

Solution:
You have to be sure that the user is AUTHORIZED to do an action and that he is authorized to do this action on a certain employee! So you have to check for his authorization. You have to write some code in the class org.owasp.webgoat.lessons.RoleBasedAccesControl.RoleBasedAccessControl.java. Alter the handleRequest method as there is happening the dispatching. Action has already a method called isAuthorizedForEmployee which you can use:


//***************CODE HERE*************************
if(!isAuthorized(s, userId, requestedActionName))
{
  throw new UnauthorizedException();
}
if(!action.isAuthorizedForEmployee(s, userId, employeeId))
{
  throw new UnauthorizedException();
}						
//*************************************************

Try the attack again and you will see that the authorization fails and the lesson is completed.