{"id":"https://openalex.org/W4416549313","doi":"https://doi.org/10.1145/3719027.3744825","title":"BACScan: Automatic Black-Box Detection of Broken-Access-Control Vulnerabilities in Web Applications","display_name":"BACScan: Automatic Black-Box Detection of Broken-Access-Control Vulnerabilities in Web Applications","publication_year":2025,"publication_date":"2025-11-19","ids":{"openalex":"https://openalex.org/W4416549313","doi":"https://doi.org/10.1145/3719027.3744825"},"language":null,"primary_location":{"id":"doi:10.1145/3719027.3744825","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3719027.3744825","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5100695518","display_name":"Fengyu Liu","orcid":"https://orcid.org/0009-0009-4680-6513"},"institutions":[{"id":"https://openalex.org/I24943067","display_name":"Fudan University","ror":"https://ror.org/013q1eq08","country_code":"CN","type":"education","lineage":["https://openalex.org/I24943067"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Fengyu Liu","raw_affiliation_strings":["Fudan University, Shanghai, China"],"raw_orcid":"https://orcid.org/0009-0009-4680-6513","affiliations":[{"raw_affiliation_string":"Fudan University, Shanghai, China","institution_ids":["https://openalex.org/I24943067"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5017552210","display_name":"Yuan Zhang","orcid":"https://orcid.org/0000-0003-0726-9996"},"institutions":[{"id":"https://openalex.org/I24943067","display_name":"Fudan University","ror":"https://ror.org/013q1eq08","country_code":"CN","type":"education","lineage":["https://openalex.org/I24943067"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yuan Zhang","raw_affiliation_strings":["Fudan University, Shanghai, China"],"raw_orcid":"https://orcid.org/0000-0003-0726-9996","affiliations":[{"raw_affiliation_string":"Fudan University, Shanghai, China","institution_ids":["https://openalex.org/I24943067"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Enhao Li","orcid":"https://orcid.org/0009-0006-8141-7319"},"institutions":[{"id":"https://openalex.org/I24943067","display_name":"Fudan University","ror":"https://ror.org/013q1eq08","country_code":"CN","type":"education","lineage":["https://openalex.org/I24943067"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Enhao Li","raw_affiliation_strings":["Fudan University, Shanghai, China"],"raw_orcid":"https://orcid.org/0009-0006-8141-7319","affiliations":[{"raw_affiliation_string":"Fudan University, Shanghai, China","institution_ids":["https://openalex.org/I24943067"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101960529","display_name":"Wei Meng","orcid":"https://orcid.org/0000-0001-8260-3304"},"institutions":[{"id":"https://openalex.org/I177725633","display_name":"Chinese University of Hong Kong","ror":"https://ror.org/00t33hh48","country_code":"HK","type":"education","lineage":["https://openalex.org/I177725633"]}],"countries":["HK"],"is_corresponding":false,"raw_author_name":"Wei Meng","raw_affiliation_strings":["The Chinese University of Hong Kong, Hong Kong SAE, China"],"raw_orcid":"https://orcid.org/0000-0001-8260-3304","affiliations":[{"raw_affiliation_string":"The Chinese University of Hong Kong, Hong Kong SAE, China","institution_ids":["https://openalex.org/I177725633"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5053341800","display_name":"Youkun Shi","orcid":"https://orcid.org/0009-0004-0763-4732"},"institutions":[{"id":"https://openalex.org/I24943067","display_name":"Fudan University","ror":"https://ror.org/013q1eq08","country_code":"CN","type":"education","lineage":["https://openalex.org/I24943067"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Youkun Shi","raw_affiliation_strings":["Fudan University, Shanghai, China"],"raw_orcid":"https://orcid.org/0009-0004-0763-4732","affiliations":[{"raw_affiliation_string":"Fudan University, Shanghai, China","institution_ids":["https://openalex.org/I24943067"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5062498002","display_name":"Qianheng Wang","orcid":"https://orcid.org/0009-0000-5619-8384"},"institutions":[{"id":"https://openalex.org/I24943067","display_name":"Fudan University","ror":"https://ror.org/013q1eq08","country_code":"CN","type":"education","lineage":["https://openalex.org/I24943067"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Qianheng Wang","raw_affiliation_strings":["Fudan University, Shanghai, China"],"raw_orcid":"https://orcid.org/0009-0000-5619-8384","affiliations":[{"raw_affiliation_string":"Fudan University, Shanghai, China","institution_ids":["https://openalex.org/I24943067"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5029525769","display_name":"Chenlin Wang","orcid":"https://orcid.org/0009-0008-0588-3005"},"institutions":[{"id":"https://openalex.org/I177725633","display_name":"Chinese University of Hong Kong","ror":"https://ror.org/00t33hh48","country_code":"HK","type":"education","lineage":["https://openalex.org/I177725633"]}],"countries":["HK"],"is_corresponding":false,"raw_author_name":"Chenlin Wang","raw_affiliation_strings":["The Chinese University of Hong Kong, Hong Kong SAR, China"],"raw_orcid":"https://orcid.org/0009-0008-0588-3005","affiliations":[{"raw_affiliation_string":"The Chinese University of Hong Kong, Hong Kong SAR, China","institution_ids":["https://openalex.org/I177725633"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5064633339","display_name":"Zihan Lin","orcid":"https://orcid.org/0009-0001-2055-951X"},"institutions":[{"id":"https://openalex.org/I24943067","display_name":"Fudan University","ror":"https://ror.org/013q1eq08","country_code":"CN","type":"education","lineage":["https://openalex.org/I24943067"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zihan Lin","raw_affiliation_strings":["Fudan University, Shanghai, China"],"raw_orcid":"https://orcid.org/0009-0001-2055-951X","affiliations":[{"raw_affiliation_string":"Fudan University, Shanghai, China","institution_ids":["https://openalex.org/I24943067"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5052437722","display_name":"Min Yang","orcid":"https://orcid.org/0000-0001-9714-5545"},"institutions":[{"id":"https://openalex.org/I24943067","display_name":"Fudan University","ror":"https://ror.org/013q1eq08","country_code":"CN","type":"education","lineage":["https://openalex.org/I24943067"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Min Yang","raw_affiliation_strings":["Fudan University, Shanghai, China"],"raw_orcid":"https://orcid.org/0000-0001-9714-5545","affiliations":[{"raw_affiliation_string":"Fudan University, Shanghai, China","institution_ids":["https://openalex.org/I24943067"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":9,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.45154751,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"1320","last_page":"1333"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9671000242233276,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9671000242233276,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.011599999852478504,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.007400000002235174,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/web-application","display_name":"Web application","score":0.5953999757766724},{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.5834000110626221},{"id":"https://openalex.org/keywords/web-application-security","display_name":"Web application security","score":0.5206999778747559},{"id":"https://openalex.org/keywords/security-bug","display_name":"Security bug","score":0.3783000111579895},{"id":"https://openalex.org/keywords/web-page","display_name":"Web page","score":0.36910000443458557},{"id":"https://openalex.org/keywords/web-server","display_name":"Web server","score":0.35120001435279846},{"id":"https://openalex.org/keywords/control","display_name":"Control (management)","score":0.33799999952316284}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7325999736785889},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6877999901771545},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.5953999757766724},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.5834000110626221},{"id":"https://openalex.org/C59241245","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Web application security","level":4,"score":0.5206999778747559},{"id":"https://openalex.org/C131275738","wikidata":"https://www.wikidata.org/wiki/Q7445023","display_name":"Security bug","level":5,"score":0.3783000111579895},{"id":"https://openalex.org/C21959979","wikidata":"https://www.wikidata.org/wiki/Q36774","display_name":"Web page","level":2,"score":0.36910000443458557},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.3596000075340271},{"id":"https://openalex.org/C11392498","wikidata":"https://www.wikidata.org/wiki/Q11288","display_name":"Web server","level":3,"score":0.35120001435279846},{"id":"https://openalex.org/C2775924081","wikidata":"https://www.wikidata.org/wiki/Q55608371","display_name":"Control (management)","level":2,"score":0.33799999952316284},{"id":"https://openalex.org/C165609540","wikidata":"https://www.wikidata.org/wiki/Q1172486","display_name":"Data breach","level":2,"score":0.3212999999523163},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.320499986410141},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.29420000314712524},{"id":"https://openalex.org/C527821871","wikidata":"https://www.wikidata.org/wiki/Q228502","display_name":"Access control","level":2,"score":0.2865000069141388},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.2863999903202057},{"id":"https://openalex.org/C35578498","wikidata":"https://www.wikidata.org/wiki/Q193424","display_name":"Web service","level":2,"score":0.273499995470047},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.263700008392334}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3719027.3744825","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3719027.3744825","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":19,"referenced_works":["https://openalex.org/W1489243061","https://openalex.org/W1980760147","https://openalex.org/W2070689669","https://openalex.org/W2086042629","https://openalex.org/W2086631206","https://openalex.org/W2156279557","https://openalex.org/W2170478581","https://openalex.org/W2766106797","https://openalex.org/W2793043914","https://openalex.org/W3095708133","https://openalex.org/W3132629027","https://openalex.org/W4285493464","https://openalex.org/W4308410314","https://openalex.org/W4313563531","https://openalex.org/W4324007098","https://openalex.org/W4377193911","https://openalex.org/W4384302826","https://openalex.org/W4384948751","https://openalex.org/W4402264023"],"related_works":[],"abstract_inverted_index":{"Broken-Access-Control":[0],"(BAC)":[1],"vulnerabilities":[2,31,85,151],"have":[3,114,162],"consistently":[4],"been":[5,163],"ranked":[6],"among":[7],"the":[8,17,21,26,123,153],"most":[9],"critical":[10],"security":[11,45],"risks":[12],"in":[13,20,86],"web":[14,87,119],"applications,":[15],"occupying":[16],"top":[18],"positions":[19],"OWASP":[22],"Top":[23],"10":[24],"over":[25],"past":[27],"several":[28],"years.":[29],"These":[30],"allow":[32],"attackers":[33],"to":[34,49,59,66,82,152],"bypass":[35],"access":[36],"control":[37],"mechanisms":[38],"and":[39,46,52,63,121,133],"perform":[40],"unauthorized":[41,97,109],"operations,":[42],"posing":[43],"serious":[44],"privacy":[47],"threats":[48],"sensitive":[50],"business":[51],"user":[53],"data.":[54],"Despite":[55],"substantial":[56],"attention":[57],"given":[58],"BAC":[60,84],"vulnerabilities,":[61,137],"effective":[62],"reliable":[64],"approaches":[65],"detecting":[67],"these":[68],"issues":[69],"remain":[70],"limited.":[71],"In":[72],"this":[73],"work,":[74],"we":[75],"present":[76],"BACScan,":[77],"a":[78],"novel":[79],"black-box":[80],"approach":[81],"detect":[83],"applications.":[88],"Unlike":[89],"existing":[90],"response":[91],"similarity-based":[92],"oracles":[93],"that":[94],"check":[95],"only":[96],"read":[98,110],"accesses,":[99],"BACScan":[100,128],"introduces":[101],"an":[102],"innovative":[103],"feedback-driven":[104],"oracle,":[105],"which":[106],"determines":[107],"whether":[108],"or":[111],"modification":[112],"operations":[113],"occurred":[115],"by":[116],"inferring":[117],"operationally-dependent":[118],"pages":[120],"analyzing":[122],"operational":[124],"feedback.":[125],"We":[126,146],"evaluated":[127],"on":[129],"20":[130],"real-world":[131],"applications":[132],"successfully":[134],"identified":[135,150],"89":[136],"including":[138],"54":[139],"previously":[140],"unreported":[141],"ones,":[142],"outperforming":[143],"state-of-the-art":[144],"tools.":[145],"reported":[147],"all":[148],"newly":[149],"affected":[154],"vendors.":[155],"To":[156],"date,":[157],"35":[158],"new":[159],"CVE":[160],"IDs":[161],"assigned.":[164]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-11-23T00:00:00"}