Lesson Plan Title: Role Based Access Control: Stage 3

Concept / Topic To Teach:
In role-based access control scheme, a role represents a set of access permissions and privileges. A user can be assigned one or more roles. A role-based access control normally consists of two parts: role permission management and role assignment. A broken role-based access control scheme might allow a user to perform accesses that are not allowed by his/her assigned roles, or somehow obtain unauthorized roles.

General Goal(s):
Your goal is to explore the access control rules that govern this site. Each role has permission to certain resources (A-F). Each user is assigned one or more roles. Only the user with the [Admin] role should have access to the 'F' resources. In a successful attack, a user doesn't have the [Admin] role can access resource F.

Solution:
In stage 1 we tried to use an action we are not authorised to use. In this stage we want to view a profile of an other person. We have the permission for the action ViewProfile but we should not have the permission to see a profile of another employee!

Log in as Tom with tom as password. Click on Tom's name in the list and make sure webscarab will intercept the next request. Change the employee_id for example to 101.