{"id":"https://openalex.org/W7160407420","doi":"https://doi.org/10.1109/saner-c67878.2026.00036","title":"Broken Access Control Risks in Open Source Javascript Projects: A Security Analysis","display_name":"Broken Access Control Risks in Open Source Javascript Projects: A Security Analysis","publication_year":2026,"publication_date":"2026-03-17","ids":{"openalex":"https://openalex.org/W7160407420","doi":"https://doi.org/10.1109/saner-c67878.2026.00036"},"language":null,"primary_location":{"id":"doi:10.1109/saner-c67878.2026.00036","is_oa":false,"landing_page_url":"https://doi.org/10.1109/saner-c67878.2026.00036","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2026 IEEE International Conference on Software Analysis, Evolution and Reengineering - Companion (SANER-C)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5135512067","display_name":"Rima Ayusinta","orcid":null},"institutions":[{"id":"https://openalex.org/I56475706","display_name":"Mid Sweden University","ror":"https://ror.org/019k1pd13","country_code":"SE","type":"education","lineage":["https://openalex.org/I56475706"]}],"countries":["SE"],"is_corresponding":true,"raw_author_name":"Rima Ayusinta","raw_affiliation_strings":["Mid Sweden University,Sweden"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Mid Sweden University,Sweden","institution_ids":["https://openalex.org/I56475706"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5058857916","display_name":"Rodi Jolak","orcid":"https://orcid.org/0000-0001-5656-9253"},"institutions":[{"id":"https://openalex.org/I56475706","display_name":"Mid Sweden University","ror":"https://ror.org/019k1pd13","country_code":"SE","type":"education","lineage":["https://openalex.org/I56475706"]}],"countries":["SE"],"is_corresponding":false,"raw_author_name":"Rodi Jolak","raw_affiliation_strings":["Mid Sweden University,Sweden"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Mid Sweden University,Sweden","institution_ids":["https://openalex.org/I56475706"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5088197636","display_name":"Raja Khurram Shahzad","orcid":"https://orcid.org/0000-0003-2806-9694"},"institutions":[{"id":"https://openalex.org/I56475706","display_name":"Mid Sweden University","ror":"https://ror.org/019k1pd13","country_code":"SE","type":"education","lineage":["https://openalex.org/I56475706"]}],"countries":["SE"],"is_corresponding":false,"raw_author_name":"Raja Khurram Shahzad","raw_affiliation_strings":["Mid Sweden University,Sweden"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Mid Sweden University,Sweden","institution_ids":["https://openalex.org/I56475706"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5135512067"],"corresponding_institution_ids":["https://openalex.org/I56475706"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.95503205,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"222","last_page":"229"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10927","display_name":"Access Control and Trust","score":0.11800000071525574,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},"topics":[{"id":"https://openalex.org/T10927","display_name":"Access Control and Trust","score":0.11800000071525574,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.09719999879598618,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.08250000327825546,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/open-source","display_name":"Open source","score":0.5152000188827515},{"id":"https://openalex.org/keywords/access-control","display_name":"Access control","score":0.48840001225471497},{"id":"https://openalex.org/keywords/control","display_name":"Control (management)","score":0.3788999915122986},{"id":"https://openalex.org/keywords/security-analysis","display_name":"Security analysis","score":0.3375000059604645},{"id":"https://openalex.org/keywords/javascript","display_name":"JavaScript","score":0.3102000057697296}],"concepts":[{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6200000047683716},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5679000020027161},{"id":"https://openalex.org/C3018397939","wikidata":"https://www.wikidata.org/wiki/Q3644502","display_name":"Open source","level":3,"score":0.5152000188827515},{"id":"https://openalex.org/C527821871","wikidata":"https://www.wikidata.org/wiki/Q228502","display_name":"Access control","level":2,"score":0.48840001225471497},{"id":"https://openalex.org/C2775924081","wikidata":"https://www.wikidata.org/wiki/Q55608371","display_name":"Control (management)","level":2,"score":0.3788999915122986},{"id":"https://openalex.org/C38369872","wikidata":"https://www.wikidata.org/wiki/Q7445009","display_name":"Security analysis","level":2,"score":0.3375000059604645},{"id":"https://openalex.org/C544833334","wikidata":"https://www.wikidata.org/wiki/Q2005","display_name":"JavaScript","level":2,"score":0.3102000057697296},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.303600013256073},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.29330000281333923},{"id":"https://openalex.org/C103377522","wikidata":"https://www.wikidata.org/wiki/Q3493999","display_name":"Security information and event management","level":4,"score":0.28110000491142273},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.2705000042915344},{"id":"https://openalex.org/C76155785","wikidata":"https://www.wikidata.org/wiki/Q418","display_name":"Telecommunications","level":1,"score":0.26510000228881836},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.26330000162124634},{"id":"https://openalex.org/C83163435","wikidata":"https://www.wikidata.org/wiki/Q3954104","display_name":"Security management","level":2,"score":0.2522999942302704}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/saner-c67878.2026.00036","is_oa":false,"landing_page_url":"https://doi.org/10.1109/saner-c67878.2026.00036","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2026 IEEE International Conference on Software Analysis, Evolution and Reengineering - Companion (SANER-C)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":15,"referenced_works":["https://openalex.org/W1963918138","https://openalex.org/W2419550901","https://openalex.org/W2742244373","https://openalex.org/W2782471262","https://openalex.org/W3005914237","https://openalex.org/W3107473573","https://openalex.org/W3144112734","https://openalex.org/W3214196324","https://openalex.org/W4281396748","https://openalex.org/W4288079454","https://openalex.org/W4367047263","https://openalex.org/W4387673910","https://openalex.org/W4388197345","https://openalex.org/W4392652182","https://openalex.org/W4399667970"],"related_works":[],"abstract_inverted_index":{"Context:":[0],"Broken":[1],"Access":[2],"Control":[3],"(BAC)":[4],"is":[5],"ranked":[6],"by":[7],"OWASP":[8],"as":[9,103],"the":[10,32,44],"most":[11],"critical":[12],"web":[13],"security":[14],"risk.":[15],"Open-source":[16],"JavaScript":[17,41,156],"projects,":[18,42],"with":[19,60,95],"their":[20],"openness":[21],"and":[22,34,86,128,146],"diverse":[23],"contributors,":[24],"are":[25],"particularly":[26],"exposed.":[27],"Objective:":[28],"This":[29],"study":[30],"investigates":[31],"prevalence":[33],"patterns":[35],"of":[36,46,67,106],"BAC":[37,114,151],"vulnerabilities":[38,115,152],"in":[39,93,154,161],"open-source":[40,155],"addressing":[43],"lack":[45],"empirical":[47],"evidence":[48],"beyond":[49],"enterprise":[50],"systems.":[51],"Method:":[52],"A":[53,64],"hybrid":[54],"approach":[55],"combined":[56],"Semgrep":[57],"static":[58],"analysis":[59,99,138],"manual":[61,117,165],"penetration":[62,118],"testing.":[63,119],"curated":[65],"set":[66],"166":[68],"GitHub":[69],"repositories":[70,102],"was":[71,139],"scanned":[72],"using":[73],"custom":[74],"rules":[75],"for":[76,167],"Insecure":[77],"Direct":[78],"Object":[79],"Reference":[80],"(IDOR),":[81],"unprotected":[82],"routes,":[83],"forced":[84],"browsing,":[85],"token/session":[87],"flaws;":[88],"flagged":[89,100],"cases":[90],"were":[91,109],"validated":[92],"Docker":[94],"Postman.":[96],"Results:":[97],"Static":[98,137,158],"33":[101],"potentially":[104],"vulnerable,":[105],"which":[107],"5":[108],"confirmed":[110],"to":[111],"contain":[112],"exploitable":[113],"through":[116],"Confirmed":[120],"issues":[121],"included":[122],"unauthenticated":[123],"endpoints,":[124],"parameter-based":[125],"privilege":[126],"escalation,":[127],"insecure":[129],"token":[130],"or":[131],"Cross-Origin":[132],"Resource":[133],"Sharing":[134],"(CORS)":[135],"handling.":[136],"useful,":[140],"but":[141,163],"showed":[142],"high":[143],"false":[144],"positives":[145],"limited":[147],"contextual":[148],"accuracy.":[149],"Conclusion:":[150],"recur":[153],"projects.":[157],"tools":[159],"aid":[160],"detection":[162],"require":[164],"validation":[166],"reliable":[168],"assessment.":[169]},"counts_by_year":[],"updated_date":"2026-05-08T13:12:06.581006","created_date":"2026-05-07T00:00:00"}