Too often, I've started a web application penetration test with one set of user credentials, a target application URL and it's off to the races. Not long after starting the test, it becomes apparent that I'll need at least one more set of credentials in order to properly test all