Hello and welcome to the side. Very secure coding course. My name is Sonny. Where? And this is AWAS. Top 10 for 2013 a seven missing function level access control lab from Web goat. In its role based access control,
this is the lab for role based access control using Web goat.
We're gonna take a look at stage one here. It states as a regular employee. Tom,
what we're going to do is exploit the weak access control to use the delete function from a particular page.
We won't verify that Tom's profile can be deleted.
Now, it tells us that the past words for each employee are just their first name in lower case. So that means we can come to the long in
and log in his time.
And when we see his profile,
basically, what we can do is intercept
the clicking of one of these buttons and see if we can change instead of the viewing of the of the profile. Change it to be the actual deletion of his profile.
So we'll go ahead and start up, perp sweet
and turn the interceptor on.
Okay? And so I'm looking at an employee. I D of 105 and an action of you profile.
So just out of curiosity,
I could try to just change the word view
to instead be delete and just see if that works.
And apparently that solved the problem.
Now, the next stage of the lab asked you to actually put in some authorization checks into the code.
Now, the developer version of Web goat is
probably not being provided here. So I'm going to just reference the code that would be placed in there,
and I have that available
And so this could be a possible way that you can
be sure that a user is authorized to do a particular action and in this case would have been deleting a profile.
So here's the code snippet. So in the design of every application, you're always going to have a role based access control matrix that identifies the roles in that application
and the authorized actions.
if a user I d request a particular action and they're not authorized to do so, you're gonna throw an exception,
and then likewise, you're gonna check to ensure that a particular action may be authorized against a certain employees,
and if it's not, then you're going to throw an unauthorized exception.
So that takes care of Stage two.
So now when we come to Stage three,
we here are going to bypass the data layer, Access Control says as a regular employee, Tom exploit the weak access control to view another employees profile. Verify the axis the access.
So once again, we are going to log in as Tom.
And if I wanted to view another employees profile,
I could certainly turn on my birth. Sweet.
Go ahead and intercept
And one of the things that you'll notice is that the employee numbers are in sequential order.
And so if I changed 105
to be 106 and then forwarded that,
then I could very easily see a completely different employees number and information. So Jerry Mouse and this is all of Jerry's information.
And so that complete Stage three is well, Stage four is the same as stage to you're just going to add,
um, some code in for an authorisation check at your data layer