Basically need to try and view things which you should not be able to see such as other peoples order invoices, account details or messages.
Loads of different ways to test for this but really all you are looking for is static numbers etc, such as uid, invoiceNumber, OrderNumber etc.
Walk the application as a high privileged user and collect all of the URLs generated while browsing. Marking them with colours can help identify the admin pages.
Create a bat file and paste all of the URLs
Perform a find and replace for all of the strings such as:
https://targetsite.comReplace with"C:\Program Files\Mozilla Firefox\firefox.exe" https://targetsite.com
Login as a low priv user in firefox and open the bat file while burp intercept is off and review the pages you have access to.
Some of the requests may log you out so just delete them out of the list until you have all of them opening without breaking your session.
Its not the best way to test for it but sometimes visually inspecting the pages is easier.
Follow these steps:
Login to the target application as a low privileged user
Go to Autorize tab in burp - autorize should be off
Click Fetch cookies from last request (low priv cookies)
Open incognito window
Login as high privileged user
Click Autorize is off to turn it on
Go to areas of site that are admin/ high priv only Look for orange/green in the columns
There are 3 enforcement statuses:
Bypassed! - Red color
Enforced! - Green color
Is enforced??? (please configure enforcement detector) - Yellow color
The first 2 statuses are clear, so I won’t elaborate on them.
The 3rd status means that Autorize cannot determine if authorization is enforced or not, and so Autorize will ask you to configure a filter in the enforcement detector tabs. There are two different enforcement detector tabs, one for the detection of the enforcement of low-privileged requests and one for the detection of the enforcement of unauthenticated requests.
The enforcement detector filters will allow Autorize to detect authentication and authorization enforcement in the response of the server by content length or string (literal string or regex) in the message body, headers or in the full request.
For example, if there is a request enforcement status that is detected as "Authorization enforced??? (please configure enforcement detector)" it is possible to investigate the modified/original/unauthenticated response and see that the modified response body includes the string "You are not authorized to perform action", so you can add a filter with the fingerprint value "You are not authorized to perform action", so Autorize will look for this fingerprint and will automatically detect that authorization is enforced. It is possible to do the same by defining content-length filter or fingerprint in headers.
For more info check the readme