This course will become read-only in the near future. Tell us at if that is a problem.

Access Control Flaws [Sept. 16, 2011, 12:15 a.m.]


Under “Access Control Flaws” read through the lessons and lesson plans there:

  • Using an Access Control Matrix
  • Bypass a Path Based Access Control Scheme

Also do “Remote Admin Access” which is about finding vulnerabilities with an admin interface.


Work through the lab “Role Based Access Control.” Two only work with the developer version of WebGoat. Feel free to skip those if you don’t have that version. Be sure and do “Remote Admin Access” after reading the lesson plan on how to force browser web resources (found under “Lesson Plan”).


Briefly discuss your experience this week. Some ideas follow but you don’t have to answer all the questions. Did you learn something interesting? Was there something confusing in the lesson that you had to look up? If so, what was it? Did you have any issues installing the tools? Was it too much or too little work? Anything to add to it to make it better for the next round of students? Anything else you’d like to discuss about this week’s lesson?

A discussion works best when there are at least two people involved so I encourage you to comment on other people’s posts!