Abstract:
Broken-Access-Control (BAC) vulnerabilities have consistently been ranked among the most critical security risks in web applications, occupying the top positions in the OWASP Top 10 over the past several years. These vulnerabilities allow attackers to bypass access control mechanisms and perform unauthorized operations, posing serious security and privacy threats to sensitive business and user data. Despite substantial attention given to BAC vulnerabilities, effective and reliable approaches to detecting these issues remain limited. In this work, we present BACScan, a novel black-box approach to detect BAC vulnerabilities in web applications. Unlike existing response similarity-based oracles that check only unauthorized read accesses, BACScan introduces an innovative feedback-driven oracle, which determines whether unauthorized read or modification operations have occurred by inferring operationally-dependent web pages and analyzing the operational feedback. We evaluated BACScan on 20 real-world applications and successfully identified 89 vulnerabilities, including 54 previously unreported ones, outperforming state-of-the-art tools. We reported all newly identified vulnerabilities to the affected vendors. To date, 35 new CVE IDs have been assigned.