thexssrat A general way of working You need to create 2 accounts See if you can see data from account 1 that you should not see (SHOULD CONTAIN ID) Use authorize in burp suite or access control in ZAP If you can make multiple companies, do so and test IDOR between those companies employees BAC Test if you can execute functions of higher priv level (unauthenticated and normal user > admin) Test higher Priv functions should not be able to be executed by lower Priv user Test ALL user levels Test with authorise JS Functions via developer console Copy and paste of URL Test using authorise IDOR Test between ALL tenants (companies hosted on one server/database. Can also be divisions of companies) Test with authorise JS Functions via developer console Copy and paste of URL Test using authorise Check these parameters Inside files for uploading Inside URL fragment Inside URL parameter Inside POST parameter JWT Cookies