Browse as Alice (Actor A). Set Bob as Actor B in ACAS.
| Method | Endpoint | Type | Expected ACAS Result |
|---|---|---|---|
| GET | /api/users/me | protected | Not flagged |
| GET | /api/users/{id}/profile | IDOR | CONFIRMED ~85 |
| PUT | /api/users/{id}/profile | IDOR | CONFIRMED ~80 |
| GET | /api/users/{id}/orders | IDOR | CONFIRMED ~80 |
| GET | /api/orders/{id} | IDOR | CONFIRMED ~78 |
| GET | /api/documents/{id} | IDOR | CONFIRMED ~88 |
| DELETE | /api/documents/{id} | IDOR | CONFIRMED ~82 |
| GET | /api/users/{id}/payment-method | IDOR | CONFIRMED ~92 HIGH |
| GET | /api/users/{id}/apikey | IDOR | CONFIRMED ~95 CRITICAL |
| GET | /api/export?user_id={id} | IDOR | Review Queue |
| POST | /api/reports/generate | IDOR | Review Queue |
| GET | /api/users/{id}/messages | protected | NOT flagged 403 |
| GET | /api/products | public | FALSE POSITIVE |
| GET | /api/products/{id} | public | FALSE POSITIVE |