基于角色的访问控制——Role-Based Access Control
RBAC事先会在系统中定义出不同的角色,不同的角色拥有不同的权限,一个角色实际上就是一个权限的集合。而系统的所有用户都被分配到不同的角色中,一个用户可能拥有多个角色,角色之间有高低之分。
一、Bypass a Path Based Access Control Scheme
The 'guest' user has access to all the files in the lesson_plans/English directory. Try to break the access control mechanism and access a resource that is not in the listed directory. After selecting a file to view, WebGoat will report if access to the file was granted. An interesting file to try and obtain might be a file like tomcat/conf/tomcat-users.xml. Remember that file paths will be different if using the WebGoat source.
题意:给出一个目录列表,要求通过修改请求参数来访问其他目录下的文件,如tomcat/conf/tomcat-users.xml。
解题:通过Tamper抓请求参数,修改文件名称。具体操作如下:
将Tamper抓到File名称修改为:/../../../../conf/tomcat-users.xml。每一个../表示向上跳一层目录。针对不同的环境,跳的次数不同。
二、Bypass Presentational Layer Access Control
As regular employee 'Tom', exploit weak access control to use the Delete function from the Staff List page. Verify that Tom's profile can be deleted. The passwords for users are their given names in lowercase (e.g. the password for Tom Cat is "tom").
题意:Tom用户可以登录查看自己的信息,现在要求通过修改传递的参数来完成删除Tom信息。
解题:将传递来的操作参数ViewProfile更改为DeleteProfile即可。
三、Breaking Data Layer Access Control
As regular employee 'Tom', exploit weak access control to View another employee's profile. Verify the access.
题意:Tom可以登录查看自己的信息,现在要求提权,让Tom可以查看任意一个人的信息。
解题:用Tamper修改传递的参数employee_id为需要查看的用户id即可。