[alanfranzoni]

When you test for a vulnerability, many times you don't know whether it actually works unless you go "deep into the building".

In this situation, it would have been difficult to report the parameter tampering without verifying that it actually worked (there're systems that pass params back and forth without apparent use, but they throw an error when client and server states don't match) - and, most probably, the report would have been ignored without the verification.

[imhoguy]

Exactly. Often to validate the door is unlocked one needs to use the knob and open it a little - shall one get a permission for that just for a sake of a check. Is this already a breach to open the door without crossing the threshold?