## Apprentice Level
- β
[[1. Unprotected admin functionality]]
- β
[[2. Unprotected admin functionality with unpredictable URL]]
- β
[[3. User role controlled by request parameter]]
- β
[[4. User role can be modified in user profile]]
- β
[[5. User ID controlled by request parameter]]
- β
[[6. User ID controlled by request parameter, with unpredictable user IDs]]
- β
[[7. User ID controlled by request parameter with data leakage in redirect]]
- β
[[8. User ID controlled by request parameter with password disclosure]]
- β
[[9. Insecure direct object references]]
## Practitioner Level
- β
[[10. URL-based access control can be circumvented]]
- β
[[11. Method-based access control can be circumvented]]
- β
[[12. Multi-step process with no access control on one step]]
- β
[[13. Referer-based access control]]