This course will become read-only in the near future. Tell us at if that is a problem.

Access Control Flaws


Under “Access Control Flaws” read through the lessons and lesson plans there:

  • Using an Access Control Matrix
  • Bypass a Path Based Access Control Scheme

Also do “Remote Admin Access” which is about finding vulnerabilities with an admin interface.


Work through the lab “Role Based Access Control.” Two only work with the developer version of WebGoat. Feel free to skip those if you don’t have that version. Be sure and do “Remote Admin Access” after reading the lesson plan on how to force browser web resources (found under “Lesson Plan”).


Briefly discuss your experience this week. Some ideas follow but you don’t have to answer all the questions. Did you learn something interesting? Was there something confusing in the lesson that you had to look up? If so, what was it? Did you have any issues installing the tools? Was it too much or too little work? Anything to add to it to make it better for the next round of students? Anything else you’d like to discuss about this week’s lesson?

Because WebGoat focuses on Java, let's discuss some of the other languages and how to prevent this vulnerability in them. For your preferred language and/or framework, research and post how you can prevent the vulnerabilities discussed this week.

A discussion works best when there are at least two people involved so I encourage you to comment on other people’s posts!

Task Discussion

  • Seye Kuyinu   Oct. 23, 2011, 6:30 a.m.

    I am quite new here and a little bit confused. You mentioned in two classes about reading something. I guess from a book. I am quite lost here. Please can you explain

  • Vladimir Támara Patiño   Oct. 24, 2011, 9:19 p.m.
    In Reply To:   Seye Kuyinu   Oct. 23, 2011, 6:30 a.m.

    Reading the text shown by WebGoat when you press the button Lesson.  Please check how to install WebGoat in the task of the first week:

  • Vladimir Támara Patiño   Oct. 5, 2011, 6:21 p.m.

    Preventing Control Access Flaws

    The verification requirements suggested by OWASP Application Security Verification Standard 2009 are:

    • V4.1  Verify that users can only access protected functions for which they possess specific authorization.
    • V4.2  Verify that users can only access URLs for which they possess specific authorization.
    • V4.3  Verify that users can only access data files for which they possess  specific authorization.
    • V4.4  Verify that direct object references are protected, such that only authorized objects are accessible to each user.
    • V4.5  Verify that directory browsing is  disabled unless deliberately desired.
    • V4.6  Verify that users can only access services for which they possess specific authorization.
    • V4.7  Verify that users can only access data for which they possess specific authorization.
    • V4.8  Verify that access controls fail  securely.
    • V4.9  Verify that the same access control rules implied by the presentation layer are enforced on the server  side.
    • V4.10 Verify that all user and data  attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized.
    • V4.11 Verify that all access controls are enforced on the server side.
    • V4.12 Verify that there is a centralized mechanism (including libraries that call external authorization services) for protecting access to each type of protected resource.
    • V4.13 Verify that limitations on input and access imposed by the business on the application (such as daily transaction limits or sequencing of tasks) cannot be bypassed.
    • V4.14 Verify that all access control  decisions can be logged and all failed decisions are logged.
    • V4.15 Verify that all code implementing or using access controls is not affected by any malicious code.