Emmanuel Benoist Home Page

Broken Access Control : Exercises

Solutions for this exercise

Missing Function Level Access Control

For this exercise we use a new application for the management of marks Marks Manager. For this exercise, you will receive from the professor usernames and passwords of different users (admin, prof, student).
Normally a student can not change their own marks.
Visit the site using the different users. Note the URL's of the different resources.

Try to change the mark of a student (give them a 6.0 for instance).

Attack your guestbook using insecure object references

  • Login as a normal user.
  • Get the ID of all users.
    For doing this, you do not have the right to look in the DataBase (too easy).
  • Read some messages you do not have the right to read (changing the id in the URL)
  • Send messages with a wrong author.
  • Change the password of any user (other than the one your are).