Dice Question Streamline Icon: https://streamlinehq.com

Automated Detection of Context-Dependent Broken Access Control

Develop automated testing and oracle techniques to detect and verify context-dependent Broken Access Control vulnerabilities in PHP-based, database-backed web applications, where exploitation requires satisfying preconditions (for example, resource creation or feature activation) that drive the application into specific states before unauthorized access becomes observable.

Information Square Streamline Icon: https://streamlinehq.com

Background

The paper scopes BACFuzz to role-based access control and focuses on BOLA and BFLA vulnerabilities detectable via SQL DML queries. The authors note that some BAC cases depend on user actions and application state, making them challenging for automated fuzzing because the vulnerability only surfaces after specific preconditions are met.

Context-dependent BAC requires a sequence of actions (e.g., creating resources or enabling features) that transition the application into a state where unauthorized access becomes visible. Automating the discovery, orchestration, and verification of these state-dependent scenarios is identified as beyond the current capabilities of BACFuzz and left open.

References

First, we identified context-dependent BAC, which refers to vulnerabilities that only manifest after a user performs specific actions, causing a WUT to enter a certain state. These cases require preconditions (e.g., resource creation or feature activation) before unauthorized access becomes observable. As a result, both context-dependent and passive BAC remain open challenges for future work.

BACFuzz: Exposing the Silence on Broken Access Control Vulnerabilities in Web Applications (2507.15984 - Dharmaadi et al., 21 Jul 2025) in Conclusion and Future Work