BACFuzz: Exposing the Silence on Broken Access Control Vulnerabilities in Web Applications

TL;DR

BACFuzz is a novel gray-box fuzzing framework that effectively uncovers broken access control vulnerabilities in web applications by combining LLM-guided testing, runtime feedback, and SQL-based oracle checks.

Contribution

It introduces BACFuzz, the first framework specifically targeting BAC vulnerabilities in PHP web apps, integrating LLM guidance and runtime analysis for improved detection.

Findings

Detected 16 of 17 known issues in real-world apps.

Uncovered 26 previously unknown BAC vulnerabilities.

Achieved low false positive rates in vulnerability detection.

Abstract

Broken Access Control (BAC) remains one of the most critical and widespread vulnerabilities in web applications, allowing attackers to access unauthorized resources or perform privileged actions. Despite its severity, BAC is underexplored in automated testing due to key challenges: the lack of reliable oracles and the difficulty of generating semantically valid attack requests. We introduce BACFuzz, the first gray-box fuzzing framework specifically designed to uncover BAC vulnerabilities, including Broken Object-Level Authorization (BOLA) and Broken Function-Level Authorization (BFLA) in PHP-based web applications. BACFuzz combines LLM-guided parameter selection with runtime feedback and SQL-based oracle checking to detect silent authorization flaws. It employs lightweight instrumentation to capture runtime information that guides test generation, and analyzes backend SQL queries to verify whether unauthorized inputs flow into protected operations. Evaluated on 20 real-world web applications, including 15 CVE cases and 2 known benchmarks, BACFuzz detects 16 of 17 known issues and uncovers 26 previously unknown BAC vulnerabilities with low false positive rates. All identified issues have been responsibly disclosed, and artifacts will be publicly released.