Files
webgoat
main
project
JavaSource
WebContent
META-INF
WEB-INF
css
database
images
javascript
lesson_plans
lesson_solutions
AccessControlMatrix_files
BackDoors_files
BasicAuthentication_files
BlindSqlInjection_files
CSRF_files
ClientSideFiltering_files
ClientSideValidation_files
CommandInjection_files
ConcurrencyCart_files
DOMInjection_files
DOMXSS_files
DOS_Login_files
FailOpenAuthentication_files
ForcedBrowsing_files
ForgotPassword_files
HiddenFieldTampering_files
HtmlClues_files
HttpBasics_files
HttpOnly_files
HttpSplitting_files
JSONInjection_files
JavaScriptValidation_files
Lab Access Control
images
Lab Add Business Layer Access Control.html
Lab Add Data Layer Access Control.html
Lab Bypass Business Layer Access Control.html
Lab Bypass Data Layer Access Control.html
Lab SQL Injection
Lab XSS
LogSpoofing_files
MultiLevelLogin1
MultiLevelLogin2
PasswordStrength_files
PathBasedAccessControl_files
ReflectedXSS_files
RemoteAdminFlaw_files
SilentTransactions_files
SoapRequest_files
SqlNumericInjection_files
SqlStringInjection_files
StoredXSS_files
ThreadSafetyProblem_files
TraceXSS_files
UncheckedEmail_files
WSDLScanning_files
WeakAuthenticationCookie_files
WeakSessionID_files
WsSAXInjection_files
WsSqlInjection_files
XMLInjection_files
XPATHInjection_files
AccessControlMatrix.html
BackDoors.html
BasicAuthentication.html
BlindSqlInjection.html
CSRF.html
ClientSideFiltering.html
ClientSideValidation.html
CommandInjection.html
ConcurrencyCart.html
DOMInjection.html
DOMXSS.html
DOS_Login.html
DangerousEval.html
Encoding.html
FailOpenAuthentication.html
ForcedBrowsing.html
ForgotPassword.html
HiddenFieldTampering.html
HtmlClues.html
HttpBasics.html
HttpOnly.html
HttpSplitting.html
JSONInjection.html
JavaScriptValidation.html
LogSpoofing.html
PasswordStrength.html
PathBasedAccessControl.html
Phishing.html
ReflectedXSS.html
RemoteAdminFlaw.html
SilentTransactions.html
SoapRequest.html
SqlNumericInjection.html
SqlStringInjection.html
StoredXss.html
ThreadSafetyProblem.html
TraceXSS.html
UncheckedEmail.html
WSDLScanning.html
WeakAuthenticationCookie.html
WeakSessionID.html
WsSAXInjection.html
WsSqlInjection.html
XMLInjection.html
XPATHInjection.html
formate.css
lessons
users
main.jsp
sideWindow.jsp
webgoat.jsp
webgoat_challenge.jsp
config
doc
build.xml
Eclipse-Workspace.zip
HOW TO create the WebGoat workspace.txt
build.xml
eclipse.bat
readme.txt
webgoat for SQL Server.bat
webgoat.bat
webgoat.sh
webgoat_8080.bat
webscarab.bat
WebGoat/webgoat/main/project/WebContent/lesson_solutions/Lab Access Control/Lab Add Data Layer Access Control.html
wirth.marcel 82e32acb77 * Hints added
* Solutions added
* Bugfixes
* Introduction added (including how to start with webgoat and useful tools)
* New lesson: Password strength
* New lessons: Multi Level Login
* Not yet working new lesson: Session fixation (inital release)

git-svn-id: http://webgoat.googlecode.com/svn/trunk@301 4033779f-a91e-0410-96ef-6bf7bf53c507
2008-04-07 14:28:38 +00:00

56 lines
2.2 KiB
HTML

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Solution Lab Role Based Access Control Stage4</title>
<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
<p><b>Concept / Topic To Teach:</b><br/>
In role-based access control scheme, a role represents
a set of access permissions and privileges. A user can be
assigned one or more roles. A role-based access control
normally consists of two parts: role permission management
and role assignment. A broken role-based access
control scheme might allow a user to perform accesses
that are not allowed by his/her assigned roles, or
somehow obtain unauthorized roles.
</p>
<p><b>General Goal(s):</b><br/>
Your goal is to explore the access control
rules that govern this site. Each role has permission to
certain resources (A-F). Each user is assigned one or more roles.
Only the user with the [Admin] role should have access
to the 'F' resources. In a successful attack, a user doesn't
have the [Admin] role can access resource F.
</p>
<p>
<b>Solution:</b><br/>
You have to be sure that the user is AUTHORIZED to do an action and that
he is authorized to do this action on a certain employee! So you have to check for his authorization.
You have to write some code in the class
org.owasp.webgoat.lessons.RoleBasedAccesControl.RoleBasedAccessControl.java.
Alter the handleRequest method as there is happening the dispatching.
Action has already a method called isAuthorizedForEmployee which you can use:
</p>
<pre><code>
//***************CODE HERE*************************
if(!isAuthorized(s, userId, requestedActionName))
{
throw new UnauthorizedException();
}
if(!action.isAuthorizedForEmployee(s, userId, employeeId))
{
throw new UnauthorizedException();
}
//*************************************************
</code></pre>
Try the attack again and you will see that the authorization fails and the
lesson is completed.
</body>
</html>