My go-to checklist when testing for BAC. Not meant to be exhaustive, just the stuff that actually finds bugs consistently.
- Burp Suite running, scope set
- At least 2 accounts ready (admin + low-priv, ideally a third with no auth)
- Map out all the roles the app has - check docs, settings pages, invite flows
First thing I do is map out all the roles and what each one can access. I log into each account and just click through everything, noting which endpoints show up in Burp for each role.
- Save the sitemap per role
- Diff them - anything that only shows up for admin is your target list
- Pay attention to the HTTP methods too, not just the paths
This is where most of the bugs are.
- Grab object IDs from your own account (user id, order id, file id, etc)
- Swap them with IDs from the other account
- Check both read and write - sometimes you can't view but you CAN edit
- Don't just test in the URL, check request body params and headers too
- Try UUIDs vs sequential IDs - sequential is way easier to enumerate
- Check if the API returns more data than the frontend shows
- Take a request that only admin can make
- Replay it with a low-priv user's session token
- Try changing role parameters in requests (role=admin, isAdmin=true, etc)
- Check if admin endpoints are just hidden in the UI but still functional
- Test the registration/invite flow - can you assign yourself a higher role?
- Hit every endpoint with no auth token at all
- Try expired tokens, see if they still work
- Check if logging out actually invalidates the session server-side
- Look for endpoints that rely on obscurity instead of auth checks
- Send requests with Origin headers from random domains
- Check if credentials are allowed with wildcard origins
- Look for reflected origins in Access-Control-Allow-Origin
- If there's a GraphQL endpoint, try introspection and query fields you shouldn't see
- REST APIs - try different HTTP methods (PUT/DELETE on things you should only GET)
- Check if the mobile API has weaker controls than the web one
- Look for older API versions (v1 vs v2) that might not be patched
- Multi-step flows: skip steps, go backwards, replay steps
- State transitions: can you cancel something already completed?
- Rate limits: are they per-account or per-session? Can you bypass by rotating?
- Exported data (CSV/PDF downloads) sometimes skips access checks
- Webhook/notification endpoints often lack auth
- File uploads - can you access other users' uploaded files by guessing the path?
- Admin functionality hidden behind JS toggles but accessible via direct requests
- Password reset flows that leak tokens or let you reset other users
- Always check
/admin,/debug,/internal,/graphql,/api-docs - Try adding
.jsonto endpoints that return HTML - Test what happens when you send a valid admin cookie with a low-priv JWT
- Check if deleting your cookie vs sending an invalid one gives different errors (different errors = different code paths = potential bypass)