laplacef/webgoat-broken-access-control

# webgoat-broken-access-control [](https://laplacef.github.io/webgoat-broken-access-control/) [](https://doi.org/10.5281/zenodo.20407989) [](https://github.com/WebGoat/WebGoat) [](https://portswigger.net/burp) [](https://mitmproxy.org) [](LICENSE.md) [](LICENSE.md) A volume of empirical case studies on **Broken Access Control** vulnerabilities, reproduced and analysed against OWASP WebGoat at a pinned release, and part of **The WebGoat Case Series**. Each case study pairs empirical demonstration of the exploit with source-level analysis of the WebGoat implementation, counterfactual identification of the missing or inadequate control, and explicit mapping to OWASP and CWE taxonomy. ## Case Studies - [Session Hijacking](content/session-hijacking.md). Predictable session identifier generation (CWE-330, CWE-340) and the keyspace collapse that follows from pairing a global counter with a wall-clock timestamp. - [Insecure Direct Object References](content/insecure-direct-object-references.md). Missing object-level authorization (CWE-639, API1:2023 BOLA) on a profile endpoint that leaks the very identifier required to enumerate and modify other users' records. ## How to Cite **DOI:** Per-release DOIs and pre-formatted citations are available on the [Zenodo deposit page](https://doi.org/10.5281/zenodo.20407989). ## Acknowledgments Tools and target application referenced throughout this volume: - [WebGoat](https://github.com/WebGoat/WebGoat) (target application) - [Burp Suite](https://portswigger.net/burp) (interception proxy) - [mitmproxy](https://mitmproxy.org) (interception proxy) - [mystmd](https://mystmd.org) (publication framework) ## License - **Content** (case study prose and screenshots): [CC BY-NC-SA 4.0](LICENSE.md) - **Code** (everything else in the repo): [Apache-2.0](LICENSE.md)