I work at one of the largest companies in the world. You have most likely heard of it. We have alarmingly bad IT-people. This is just one example but for a non-critical system, I noticed that you can log in as someone else if you just have the correct URL. There are 3 characters that change randomly, leading to around 40 000 different combinations with numbers and letters. As an admin user, I already have the ability to log in as anyone and can see that this is how the system works. I want to potentially bring this up to my boss as an issue but then it would be best if I had a method to brute force a mass of websites for the correct one to show. This is also driven a bit by personal interest in what is actually possible today.