Finding Access Control Vulnerabilities with Autorize

This blog post demonstrates how to use the Burp Suite Autorize extension to detect broken access controls (vertical and horizontal) in web applications. Using OWASP Juice Shop, the author shows how to identify session tokens, minimize requests to the essential token, configure Autorize to replay requests under different authentication contexts, and discover an insecure direct object reference (IDOR) that allows retrieval of other users' shopping baskets; the article serves as a practical tutorial for penetration testers.