Auth bypass: unprotected URLs
çAdmin settings URL meant to be available after logging in only
çPoor authentication allows attacker to access such settings page without password if URL is known
çNaive assumption: URL path cannot be known by attacker unless a valid password is known
¼This is far from reality of course!