Title: Techniques for discovering broken access control vulnerabilities constructed upon abnormal behaviours

Authors: Shuo Wen; Qi Wu; Lixuan Zhao; Qifeng Li; Kangyuan He; Tingjun Huang

Addresses: Guangdong Police College, Guangzhou 510230, China ' Guangdong Police College, Guangzhou 510230, China ' Guangdong Police College, Guangzhou 510230, China ' Guangdong Police College, Guangzhou 510230, China ' Guangdong Police College, Guangzhou 510230, China ' Guangdong Police College, Guangzhou 510230, China

Abstract: With the rise of mobile internet, cloud computing and big data, web applications are vital in many industries. Ensuring data security in web apps is crucial. Broken access control, a prevalent vulnerability arising from discrepancies between intended and actual permission checks, enables unauthorised data access, posing a severe threat. This paper analyses the causes and types of broken access control vulnerabilities. We propose a novel vulnerability mining approach leveraging abnormal behaviour. The method identifies sensitive behaviours indicative of vertical and horizontal vulnerabilities within normal user-server interactions and constructs corresponding abnormal behaviours for detection. To validate the efficacy of this approach, a comprehensive and rigorous experimentation process was carried out using a tailored web application system. The experimental results demonstrate the potential of this method for effectively identifying broken access control vulnerabilities within web applications, all without the need for accessing the source code itself, significantly enhancing detection efficiency.

Keywords: web applications; broken access control vulnerabilities; abnormal behaviours; vulnerability discovery.

DOI: 10.1504/IJSN.2025.148977

International Journal of Security and Networks, 2025 Vol.20 No.3, pp.187 - 196

Received: 15 Apr 2025
Accepted: 01 May 2025
Published online: 06 Oct 2025 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article