1. In one of the pentests I'm currently doing, there is a web application with multiple pricing tiers, including a free account. I've been also provided with a premium account.
2. What I usually do is parallel testing of the two accounts, at least as follows:
- visual: features are included in both vs the paid account only
- dynamic: manipulating requests to circumvent access controls, usually via proxying
- hybrid: a combination of both or more
3. In this case, I decided to start lightly, in the browser. I tried accessing a paid feature in the free account. I got presented with a pop-up to "upgrade to continue". I couldn't click anywhere else on the page.
4. Let me just, right-click, Inspect Element, and modify this div to class="none". There!
Now I can use this premium feature for free.
5. The moral of the story:
Always enforce access controls in the backend.