Broken Access Control : Exercises
Solutions for this exerciseMissing Function Level Access Control
For this exercise we use a new application for the management of marks Marks Manager. For this exercise, you will receive from the professor usernames and passwords of different users (admin, prof, student).
Normally a student can not change their own marks.
Visit the site using the different users. Note the URL's of the different resources.
Try to change the mark of a student (give them a 6.0 for instance).
Normally a student can not change their own marks.
Visit the site using the different users. Note the URL's of the different resources.
Try to change the mark of a student (give them a 6.0 for instance).
Attack your guestbook using insecure object references
- Login as a normal user.
- Get the ID of all users.
For doing this, you do not have the right to look in the DataBase (too easy). - Read some messages you do not have the right to read (changing the id in the URL)
- Send messages with a wrong author.
- Change the password of any user (other than the one your are).
Related Pages
Contact
Prof. Dr. Emmanuel Benoist
Berner Fachhochschule - TI
Quellgasse 21
CH-2501 Biel/Bienne
Switzerland
Mail: emmanuel.benoist (at) bfh.ch
Berner Fachhochschule - TI
Quellgasse 21
CH-2501 Biel/Bienne
Switzerland
Mail: emmanuel.benoist (at) bfh.ch
Social Networks
Follow
me
on
Linkedin, Scholar
& Research gate