Let's look at a practical example using WebGoat:
- Log in to WebGoat and go to Access Control Flaws | LAB Role Based Access Control | Stage 1: Bypass Business Layer Access Control:
- Use Tomcat's credentials (Tom:tom) to log in and enable Firefox's Developer Tools (F12).
- Let's inspect the list of employees. We can see that the only element, Tom Cat (employee), is an option HTML tag with the value 105:
- Go to the Network tab in Developer Tools and click on ViewProfile. Notice how the request has a parameter called employee_id ...