Automated A-B Testing

Multi-Account Containers

For A-B testing we can use a browser extension, such as Firefox's Multi-Account Containers, and have different sessions simultaneously (Figure 1).

Figure 1: Performing A-B testing using Firefox's Multi-Account Containers.

Autorize

We can also use Burp's Autorize extension, in which we pass a low-privileged account's cookie and then browse the application as a high-privileged user. The extension then repeats each request made with the latter user as both a low-privileged and an unauthenticated user (Figure 2).

Figure 2: Performing A-B testing using Burp's Autorize.

To test access control issues on things other than headers, such as like UUIDs in the URL path, we can use Burp's Autorepeater extension in a similar way as Autorize.

PreviousWeak Access ControlsNextCMS

Last updated

Was this helpful?