Unprotected admin functionality
Unprotected admin functionality with unpredictable URL
User role controlled by request parameter
User role can be modified in user profile
User ID controlled by request parameter
User ID controlled by request parameter, with unpredictable user IDs
User ID controlled by request parameter with data leakage in redirect
User ID controlled by request parameter with password disclosure
Insecure direct object references
URL-based access control can be circumvented
Method-based access control can be circumvented
Multi-step process with no access control on one step
Referer-based access control
Last updated 9 months ago