Penetration Testing for Authorization Vulnerabilities