How do you test for broken access control and IDOR vulnerabilities?

Broken access control is the OWASP #1 risk (2021). It covers both horizontal privilege escalation (User A accessing User B's data at the same permission level) and vertical privilege escalation (a regular user accessing admin functionality).

IDOR test process:

1. Create two test accounts (User A and User B) with the same role.
2. As User A, create or access a resource (order, profile, document). Capture the resource identifier from the URL or response body.
3. Log out. Authenticate as User B.
4. Request the resource using User A's identifier (GET /api/orders/12345).
5. Assert: 403 Forbidden (not 404, not 200 with User A's data).

Vertical escalation test process:

1. Identify admin-only endpoints from the API documentation, network traffic, or JavaScript source.
2. Make requests to those endpoints using a regular-user session token.
3. Assert: 403 Forbidden. 404 is acceptable if the endpoint existence is hidden, but 200 is a failure.

Systematic coverage: don't test a sample — test every endpoint. Generate a matrix of (endpoint, method, role) and automate it. A parameterised API test that sends requests to every endpoint with every role and asserts the expected HTTP status code is the most thorough approach.

Common patterns to find: sequential integer IDs (/orders/1001, /orders/1002), UUIDs predictably derived from user data, and object IDs exposed in JavaScript bundles or HTML comments.