## Apprentice Level - βœ… [[1. Unprotected admin functionality]] - βœ… [[2. Unprotected admin functionality with unpredictable URL]] - βœ… [[3. User role controlled by request parameter]] - βœ… [[4. User role can be modified in user profile]] - βœ… [[5. User ID controlled by request parameter]] - βœ… [[6. User ID controlled by request parameter, with unpredictable user IDs]] - βœ… [[7. User ID controlled by request parameter with data leakage in redirect]] - βœ… [[8. User ID controlled by request parameter with password disclosure]] - βœ… [[9. Insecure direct object references]] ## Practitioner Level - βœ… [[10. URL-based access control can be circumvented]] - βœ… [[11. Method-based access control can be circumvented]] - βœ… [[12. Multi-step process with no access control on one step]] - βœ… [[13. Referer-based access control]]