- API calls may indicate IDOR vulns - use to identify an admin's `uid` - Access denied when using user A's cookie to reset password for user B may be bypassed with HTTP verb tampering - change POST to GET request - Try multiple XXE types when we see an XML form such as event creation or a contact form