Web application security - the fast guide 1.1 | Page 121

Chapter 6 - Attack execution (2)
P a g e | 121
having mapped the application as a different user. For testing vertical
access controls, it is preferable to re-request the high-privilege site map
as a low-privileged user, because this ensures complete coverage of the
relevant functionality.
F. To re-request the first site map in a different session, you need to
configure Burp’s session-handling functionality with the details of the
low-privilege user session (for example, by recording a login macro or
providing a specific cookie to be used in requests
G. It is necessary that define suitable scope rules to prevent Burp from
requesting any logout function.
Figure 49:comparing sites maps using Burp to extract the difference between privileged and non privileged
accounts to target the difference
6.8 Attack Execution-data stores