Let's look at a practical example using WebGoat:
- Log in to WebGoat and go to Access Control Flaws | LAB Role Based Access Control | Stage 1: Bypass Business Layer Access Control:
- Use Tomcat's credentials (Tom:tom) to log in and enable Firefox's Developer Tools (F12).
- Let's inspect the list of employees. We can see that the only element, Tom Cat (employee), is an option HTML tag with the value 105:
- Go to the Network tab in Developer Tools and click on ViewProfile. Notice how the request has a parameter called employee_id and its value is 105:
- Click on ListStaff to go back to the list.
- Change to the Inspector tab in Developer Tools.
- Double-click on the value (105) of the option tag and change it to 101. We want to see whether it is possible to look at other users' information by changing this parameter.
- Click on ViewProfile again:
- Now, the task in WebGoat is to delete Tom's profile using his own account, so let's try that. Click on ListStaff to go back to the list.
- Now, inspect the ViewProfile button.
- Notice how its name is action and its value is ViewProfile; change the value to DeleteProfile:
- The text in the button will change. Click DeleteProfile and this stage will be completed:
