URL Tampering Test

Format: Test whether modifying URLs can access data you shouldn't see.

Testing method:

If your app has URLs like:
/api/users/123/orders
/dashboard/user/123

Try:
- Change 123 to 124 -> Can you see someone else's data?
- Change 123 to 0 or -1 -> Does it error? Or crash?
- Change 123 to "abc" -> What happens?
- Change 123 to 99999999999 -> What happens?

This test is called IDOR (Insecure Direct Object Reference) -- one of the most common security vulnerabilities.