Broken Access Control

Question 1.
After logging in as a standard user, you notice a URL parameter in your profile page: craw.in/profile.php?id=123. Changing the id to another number reveals other user profiles. What type of direct object reference issue is this?

Question 2. 
You find that a specific user has admin privileges. By manipulating cookies can you access admin page?

Question 3. 
You found an endpoint /admin/delete_user.php exists, but the website doesn't show any links to it. Directly navigating to this page from standard user account without proper authentification gives which result?

Question 4.
You are logged in as user "john" and attempt to modify the bio of user "jane" via a POST request to /update_bio.php. The request includes a user_id parameter. What type of parameter is being targeted?

Question 5.
You discover an API endpoint /api/v1/users/123/sensitive_data that returns sensitive user data. Without authentication, can it be accessed ?

Question 6.
The website uses roles to define the user capabilities. Can you change your role from "user" to "admin"?

Question 7. 
You find a section of the website intended for moderators that allows banning of users. As a normal user, are you able to access this feature by attempting to directly POST to the /moderator/ban_user endpoint?

Question 8. 
You are analyzing a page for transferring credits between users. Can the receiver's account number be changed?

Question 9.
A function that deletes images, but the parameter contains the image ID. Can you delete any images with it?

Question 10.
After logging in, can you gain access to the administration panel directly using its URL?

Question 11.
You identify a hidden file at craw.in/backup/. How secure is this type of access vulnerability?

Question 12.
What kind of vulnerability is it when a normal user can access functionality intended only for administrators?

Question 13.
Can you bypass restrictions to view another user's private messages by manipulating URL parameters?