Lesson Plan Title: Role Based Access Control: Stage 1
Concept / Topic To Teach:
In role-based access control scheme, a role represents a set of access permissions and privileges. A user can be assigned one or more roles. A role-based access control normally consists of two parts: role permission management and role assignment. A broken role-based access control scheme might allow a user to perform accesses that are not allowed by his/her assigned roles, or somehow obtain unauthorized roles.
Your goal is to explore the access control rules that govern this site. Each role has permission to certain resources (A-F). Each user is assigned one or more roles. Only the user with the [Admin] role should have access to the 'F' resources. In a successful attack, a user doesn't have the [Admin] role can access resource F.
To solve this exercise you have to know the name of the action, which deletes employees. Of course you could just guess it because it has a really logical name. But we will look it up. So your first step is to log in as John with john as password. Use WebScarab to intercept the delete request. As you can see the delete action is called DeleteProfile. Now log in as Tom. Click in the list on his name and make sure WebScarab will intercept the next request. Click on a button, for example the 'ViewProfile' button. Change in WebScarab the action to DeleteProfile and you are done!