For A-B testing we can use a browser extension, such as Firefox's Multi-Account Containers, and have different sessions simultaneously (Figure 1).
Figure 1: Performing A-B testing using Firefox's Multi-Account Containers.
Autorize
We can also use Burp's Autorize extension, in which we pass a low-privileged account's cookie and then browse the application as a high-privileged user. The extension then repeats each request made with the latter user as both a low-privileged and an unauthenticated user (Figure 2).
Figure 2: Performing A-B testing using Burp's Autorize.
To test access control issues on things other than headers, such as like UUIDs in the URL path, we can use Burp's Autorepeater extension in a similar way as Autorize.
