English

BACFuzz: Exposing the Silence on Broken Access Control Vulnerabilities in Web Applications

Cryptography and Security 2025-07-23 v1 Software Engineering

Abstract

Broken Access Control (BAC) remains one of the most critical and widespread vulnerabilities in web applications, allowing attackers to access unauthorized resources or perform privileged actions. Despite its severity, BAC is underexplored in automated testing due to key challenges: the lack of reliable oracles and the difficulty of generating semantically valid attack requests. We introduce BACFuzz, the first gray-box fuzzing framework specifically designed to uncover BAC vulnerabilities, including Broken Object-Level Authorization (BOLA) and Broken Function-Level Authorization (BFLA) in PHP-based web applications. BACFuzz combines LLM-guided parameter selection with runtime feedback and SQL-based oracle checking to detect silent authorization flaws. It employs lightweight instrumentation to capture runtime information that guides test generation, and analyzes backend SQL queries to verify whether unauthorized inputs flow into protected operations. Evaluated on 20 real-world web applications, including 15 CVE cases and 2 known benchmarks, BACFuzz detects 16 of 17 known issues and uncovers 26 previously unknown BAC vulnerabilities with low false positive rates. All identified issues have been responsibly disclosed, and artifacts will be publicly released.

Keywords

Cite

@article{arxiv.2507.15984,
  title  = {BACFuzz: Exposing the Silence on Broken Access Control Vulnerabilities in Web Applications},
  author = {I Putu Arya Dharmaadi and Mohannad Alhanahnah and Van-Thuan Pham and Fadi Mohsen and Fatih Turkmen},
  journal= {arXiv preprint arXiv:2507.15984},
  year   = {2025}
}

Comments

Under peer-review

R2 v1 2026-07-01T04:12:11.067Z