Dice Question Streamline Icon: https://streamlinehq.com

Oracle and Detection for Passive/View-Type BAC Involving SELECT-only Behavior

Develop an automated oracle and detection methodology for passive or view-type Broken Access Control in PHP-based, database-backed web applications, where unauthorized information disclosure occurs without any data modification and only through SELECT queries, enabling reliable verification of restricted information exposure on user pages.

Information Square Streamline Icon: https://streamlinehq.com

Background

BACFuzz confirms BAC primarily by inspecting backend SQL DML queries (INSERT/UPDATE/DELETE) correlated with mutated inputs. This approach is ill-suited for cases where unauthorized access is purely read-only and no DML occurs.

Passive or view-type BAC exposes sensitive information via SELECT statements, making the authors’ current SQL-based oracle insufficient to verify such violations. Establishing a robust verification mechanism for read-only authorization flaws remains an open need.

References

Second, we identified passive or view-type BAC, which allows unauthorized users to gain access to sensitive information without modifying any data in the DBMS. Since BACFuzz relies on data manipulation (DML) queries to infer unexpected actions, it is difficult to verify the violation of restricted information displayed on user pages that only involve SELECT statements. As a result, both context-dependent and passive BAC remain open challenges for future work.

BACFuzz: Exposing the Silence on Broken Access Control Vulnerabilities in Web Applications (2507.15984 - Dharmaadi et al., 21 Jul 2025) in Conclusion and Future Work