{"id":"https://openalex.org/W7131361531","doi":"https://doi.org/10.1186/s13635-026-00226-w","title":"Mutation based improvement of security test case quality for broken access control","display_name":"Mutation based improvement of security test case quality for broken access control","publication_year":2026,"publication_date":"2026-02-25","ids":{"openalex":"https://openalex.org/W7131361531","doi":"https://doi.org/10.1186/s13635-026-00226-w"},"language":"en","primary_location":{"id":"doi:10.1186/s13635-026-00226-w","is_oa":true,"landing_page_url":"https://doi.org/10.1186/s13635-026-00226-w","pdf_url":null,"source":{"id":"https://openalex.org/S5407056161","display_name":"Journal on Information Security","issn_l":"3091-4515","issn":["3091-4515"],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal on Information Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://doi.org/10.1186/s13635-026-00226-w","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5126758770","display_name":"Abdurrasyid","orcid":null},"institutions":[{"id":"https://openalex.org/I134635517","display_name":"Bandung Institute of Technology","ror":"https://ror.org/00apj8t60","country_code":"ID","type":"education","lineage":["https://openalex.org/I134635517"]}],"countries":["ID"],"is_corresponding":false,"raw_author_name":"Abdurrasyid","raw_affiliation_strings":["School of Electrical Engineering and Informatics, Institut Teknologi Bandung, Bandung, Indonesia"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"School of Electrical Engineering and Informatics, Institut Teknologi Bandung, Bandung, Indonesia","institution_ids":["https://openalex.org/I134635517"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5041367526","display_name":"Yudistira Asnar","orcid":null},"institutions":[{"id":"https://openalex.org/I134635517","display_name":"Bandung Institute of Technology","ror":"https://ror.org/00apj8t60","country_code":"ID","type":"education","lineage":["https://openalex.org/I134635517"]}],"countries":["ID"],"is_corresponding":true,"raw_author_name":"Yudistira Asnar","raw_affiliation_strings":["School of Electrical Engineering and Informatics, Institut Teknologi Bandung, Bandung, Indonesia"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"School of Electrical Engineering and Informatics, Institut Teknologi Bandung, Bandung, Indonesia","institution_ids":["https://openalex.org/I134635517"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5038375278","display_name":"Gusti Ayu Putri Saptawati","orcid":"https://orcid.org/0009-0006-5003-9781"},"institutions":[{"id":"https://openalex.org/I134635517","display_name":"Bandung Institute of Technology","ror":"https://ror.org/00apj8t60","country_code":"ID","type":"education","lineage":["https://openalex.org/I134635517"]}],"countries":["ID"],"is_corresponding":false,"raw_author_name":"Gusti Ayu Putri Saptawati","raw_affiliation_strings":["School of Electrical Engineering and Informatics, Institut Teknologi Bandung, Bandung, Indonesia"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"School of Electrical Engineering and Informatics, Institut Teknologi Bandung, Bandung, Indonesia","institution_ids":["https://openalex.org/I134635517"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5041367526"],"corresponding_institution_ids":["https://openalex.org/I134635517"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.2677761,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"2026","issue":"1","first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.7501999735832214,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.7501999735832214,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.1437000036239624,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.05380000174045563,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/test-case","display_name":"Test case","score":0.6358000040054321},{"id":"https://openalex.org/keywords/mutation","display_name":"Mutation","score":0.5644000172615051},{"id":"https://openalex.org/keywords/test","display_name":"Test (biology)","score":0.5483999848365784},{"id":"https://openalex.org/keywords/quality","display_name":"Quality (philosophy)","score":0.5195000171661377},{"id":"https://openalex.org/keywords/mutation-testing","display_name":"Mutation testing","score":0.47699999809265137},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.45989999175071716},{"id":"https://openalex.org/keywords/test-suite","display_name":"Test suite","score":0.43709999322891235},{"id":"https://openalex.org/keywords/code-coverage","display_name":"Code coverage","score":0.4041999876499176},{"id":"https://openalex.org/keywords/operator","display_name":"Operator (biology)","score":0.3919999897480011}],"concepts":[{"id":"https://openalex.org/C128942645","wikidata":"https://www.wikidata.org/wiki/Q1568346","display_name":"Test case","level":3,"score":0.6358000040054321},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5813999772071838},{"id":"https://openalex.org/C501734568","wikidata":"https://www.wikidata.org/wiki/Q42918","display_name":"Mutation","level":3,"score":0.5644000172615051},{"id":"https://openalex.org/C2777267654","wikidata":"https://www.wikidata.org/wiki/Q3519023","display_name":"Test (biology)","level":2,"score":0.5483999848365784},{"id":"https://openalex.org/C2779530757","wikidata":"https://www.wikidata.org/wiki/Q1207505","display_name":"Quality (philosophy)","level":2,"score":0.5195000171661377},{"id":"https://openalex.org/C163565370","wikidata":"https://www.wikidata.org/wiki/Q4308623","display_name":"Mutation testing","level":4,"score":0.47699999809265137},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.46720001101493835},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.45989999175071716},{"id":"https://openalex.org/C151552104","wikidata":"https://www.wikidata.org/wiki/Q7705809","display_name":"Test suite","level":4,"score":0.43709999322891235},{"id":"https://openalex.org/C200601418","wikidata":"https://www.wikidata.org/wiki/Q2193887","display_name":"Reliability engineering","level":1,"score":0.43380001187324524},{"id":"https://openalex.org/C53942775","wikidata":"https://www.wikidata.org/wiki/Q1211721","display_name":"Code coverage","level":3,"score":0.4041999876499176},{"id":"https://openalex.org/C17020691","wikidata":"https://www.wikidata.org/wiki/Q139677","display_name":"Operator (biology)","level":5,"score":0.3919999897480011},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.388700008392334},{"id":"https://openalex.org/C195518309","wikidata":"https://www.wikidata.org/wiki/Q13424265","display_name":"Security testing","level":5,"score":0.3659000098705292},{"id":"https://openalex.org/C117447612","wikidata":"https://www.wikidata.org/wiki/Q1412670","display_name":"Software quality","level":4,"score":0.314300000667572},{"id":"https://openalex.org/C169903167","wikidata":"https://www.wikidata.org/wiki/Q3985153","display_name":"Test set","level":2,"score":0.3028999865055084},{"id":"https://openalex.org/C7435765","wikidata":"https://www.wikidata.org/wiki/Q7705776","display_name":"Test Management Approach","level":5,"score":0.2897999882698059},{"id":"https://openalex.org/C132519959","wikidata":"https://www.wikidata.org/wiki/Q3077373","display_name":"Test method","level":2,"score":0.28949999809265137},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.28870001435279846},{"id":"https://openalex.org/C16910744","wikidata":"https://www.wikidata.org/wiki/Q7705759","display_name":"Test data","level":2,"score":0.28630000352859497},{"id":"https://openalex.org/C80519477","wikidata":"https://www.wikidata.org/wiki/Q3532236","display_name":"Scenario testing","level":3,"score":0.28200000524520874},{"id":"https://openalex.org/C2779346075","wikidata":"https://www.wikidata.org/wiki/Q7268763","display_name":"Quality Score","level":3,"score":0.272599995136261},{"id":"https://openalex.org/C108913964","wikidata":"https://www.wikidata.org/wiki/Q2376856","display_name":"System under test","level":4,"score":0.27000001072883606},{"id":"https://openalex.org/C106436119","wikidata":"https://www.wikidata.org/wiki/Q836575","display_name":"Quality assurance","level":3,"score":0.26019999384880066},{"id":"https://openalex.org/C527821871","wikidata":"https://www.wikidata.org/wiki/Q228502","display_name":"Access control","level":2,"score":0.25589999556541443},{"id":"https://openalex.org/C38369872","wikidata":"https://www.wikidata.org/wiki/Q7445009","display_name":"Security analysis","level":2,"score":0.2500999867916107}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1186/s13635-026-00226-w","is_oa":true,"landing_page_url":"https://doi.org/10.1186/s13635-026-00226-w","pdf_url":null,"source":{"id":"https://openalex.org/S5407056161","display_name":"Journal on Information Security","issn_l":"3091-4515","issn":["3091-4515"],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal on Information Security","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.1186/s13635-026-00226-w","is_oa":true,"landing_page_url":"https://doi.org/10.1186/s13635-026-00226-w","pdf_url":null,"source":{"id":"https://openalex.org/S5407056161","display_name":"Journal on Information Security","issn_l":"3091-4515","issn":["3091-4515"],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal on Information Security","raw_type":"journal-article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.7661210298538208,"id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[{"id":"https://openalex.org/F4320329091","display_name":"Institut Teknologi Bandung","ror":"https://ror.org/00apj8t60"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":38,"referenced_works":["https://openalex.org/W2311532076","https://openalex.org/W2339109237","https://openalex.org/W2887339156","https://openalex.org/W2887400446","https://openalex.org/W2888934130","https://openalex.org/W2900347730","https://openalex.org/W2998339271","https://openalex.org/W3009106352","https://openalex.org/W3015499098","https://openalex.org/W3017250425","https://openalex.org/W3025451187","https://openalex.org/W3081696033","https://openalex.org/W3090362160","https://openalex.org/W3116888547","https://openalex.org/W3117848542","https://openalex.org/W3130509995","https://openalex.org/W3131125225","https://openalex.org/W3160691259","https://openalex.org/W3167415215","https://openalex.org/W3173305404","https://openalex.org/W3194850524","https://openalex.org/W3196350964","https://openalex.org/W4205985382","https://openalex.org/W4206520091","https://openalex.org/W4206765052","https://openalex.org/W4226494072","https://openalex.org/W4281679960","https://openalex.org/W4297095044","https://openalex.org/W4312286091","https://openalex.org/W4322626378","https://openalex.org/W4324007114","https://openalex.org/W4384155735","https://openalex.org/W4387713364","https://openalex.org/W4392888376","https://openalex.org/W4396554347","https://openalex.org/W4402442864","https://openalex.org/W4403424215","https://openalex.org/W4407736504"],"related_works":[],"abstract_inverted_index":{"Abstract":[0],"Broken":[1],"access":[2,126],"control":[3],"(BAC)":[4],"remains":[5,74],"the":[6,28,31,42,115,150,159,239],"most":[7],"critical":[8],"security":[9,84,143,170,248],"risk":[10],"(i.e.,":[11],"OWASP":[12],"Top":[13],"10).":[14],"Although":[15],"BAC":[16,90,253],"is":[17,46,67],"commonly":[18],"tested":[19],"with":[20],"dynamic":[21],"white-box":[22],"techniques,":[23],"their":[24],"effectiveness":[25],"hinge":[26],"on":[27,41,168,210,216],"strength":[29],"of":[30,117,152],"underlying":[32],"test":[33,36,62,85,160,171,189,199,208,222,231,249],"cases;":[34],"weak":[35],"cases":[37,86,161,200,209,223,232,250],"leave":[38],"exploitable":[39],"risks":[40],"software.":[43],"Mutation":[44,164],"testing":[45,77],"widely":[47],"used":[48,69],"and":[49,58,96,128,136,157,201,226],"has":[50],"been":[51],"empirically":[52],"shown":[53],"to":[54,82,113,133,142,197,206,220,229,251],"be":[55],"highly":[56],"sensitive":[57],"reliable":[59],"for":[60,76,88,224,233],"evaluating":[61],"case":[63,190],"quality.":[64],"Though":[65],"it":[66,73],"also":[68],"in":[70,193,202,246],"software":[71],"security,":[72],"limited":[75],"BAC.":[78],"This":[79],"study":[80],"aims":[81],"improve":[83],"quality":[87,191],"two":[89],"vulnerabilities:":[91],"Improper":[92],"Pathname":[93],"Limitation":[94],"(IPL)":[95],"Cross-Site":[97],"Request":[98],"Forgery":[99],"(CSRF).":[100],"We":[101],"introduce":[102],"15":[103],"novel":[104],"mutation":[105,131,241],"operators,":[106,132,178],"systematically":[107],"formulated":[108],"through":[109],"data":[110],"flow":[111],"analysis":[112],"understand":[114],"nature":[116],"those":[118],"vulnerabilities.":[119,144,254],"The":[120,145],"proposed":[121,240],"operator":[122],"groups,":[123],"including":[124],"file":[125],"check":[127],"CSRF-token":[129],"related":[130],"simulate":[134],"realistic":[135],"possible":[137],"semantic":[138],"fallacies":[139],"that":[140,176,238],"lead":[141],"approach":[146],"was":[147],"evaluated":[148],"using":[149,163],"Quality":[151],"mutant":[153],"set":[154],"Coverage":[155],"(QCo)":[156],"measuring":[158],"improvement":[162],"Score":[165],"Indicator":[166],"(MSI)":[167],"29":[169],"cases.":[172],"Experimental":[173],"results":[174],"show":[175],"all":[177],"implemented":[179],"as":[180],"infectious":[181],"PHP":[182],"extension,":[183],"achieved":[184],"QCo":[185],"above":[186],"85%,":[187],"while":[188],"improved":[192],"CSRF":[194,225],"from":[195,204,218,227],"5":[196],"12":[198],"IPL":[203],"8":[205,221],"17":[207],"a":[211],"PHP-based":[212],"dummy":[213],"project,":[214],"whereas":[215],"DVWA":[217],"6":[219],"4":[228],"7":[230],"IPL.":[234],"These":[235],"findings":[236],"indicate":[237],"operators":[242],"substantially":[243],"enable":[244],"developers":[245],"strengthening":[247],"reveal":[252]},"counts_by_year":[],"updated_date":"2026-05-21T06:26:12.895304","created_date":"2026-02-25T00:00:00"}
