This attack can happen when the attacker can execute functionalities that he is not allowed to perform (for example, admin privileges). This flaw can lead to information disclosure and performing unwanted actions such as deleting, adding, or changing data. From a practical point of view, as a penetration tester, ask yourself the following questions:

• Can you call the back-end web services (SOAP or REST) and perform unintended actions?
• As a normal user, can you call admin functions?
• Does the server validate the JSON Web Tokens (JWT)?