Testing for broken access control is often a laborious and boring process. Few tools are available and Burp Suite Authorize is the most common. I wanted to build something with a bit more flexibility to cover for additional use cases such as
- multiple users: why not test multiple roles of multiple tenants at once?
- sending a request for a different user first: necessary to test access control on deletion
- flexibility: configuration and possible to rewrite the code for your use case