A Survey of Prevent and Detect Access Control Vulnerabilities

TL;DR

This survey reviews approaches to proactively prevent and detect access control vulnerabilities in web applications, emphasizing the importance of systematic solutions across development stages to enhance security.

Contribution

It provides a structured overview of existing methods addressing access control vulnerabilities, highlighting gaps and open problems in the field.

Findings

Access control vulnerabilities are prevalent and cause major security incidents.

Current detection relies heavily on post-deployment bug bounty hunting.

Proactive prevention requires systematic, integrated solutions across development stages.

Abstract

Broken access control is one of the most common security vulnerabilities in web applications. These vulnerabilities are the major cause of many data breach incidents, which result in privacy concern and revenue loss. However, preventing and detecting access control vulnerabilities proactively in web applications could be difficult. Currently, these vulnerabilities are actively detected by bug bounty hunters post-deployment, which creates attack windows for malicious access. To solve this problem proactively requires security awareness and expertise from developers, which calls for systematic solutions. This survey targets to provide a structured overview of approaches that tackle access control vulnerabilities. It firstly discusses the unique feature of access control vulnerabilities, then studies the existing works proposed to tackle access control vulnerabilities in web applications, which span the spectrum of software development from software design and implementation, software analysis and testing, and runtime monitoring. At last we discuss the open problem in this field.