Allowing the primary key to be changed to another’s users record, permitting viewing or editing someone else’s account.
Elevation of privilege. Acting as a user without being logged in, or acting as an admin when logged in as a user.
Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token or a cookie or hidden field manipulated to elevate privileges, or abusing JWT invalidation.
CORS misconfiguration allows unauthorized API access.
Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user. Accessing API with missing access controls for POST, PUT and DELETE.