{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,24]],"date-time":"2025-11-24T07:16:43Z","timestamp":1763968603979,"version":"3.44.0"},"publisher-location":"New York, NY, USA","reference-count":55,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,12,2]],"date-time":"2024-12-02T00:00:00Z","timestamp":1733097600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,12,2]]},"DOI":"10.1145\/3658644.3690227","type":"proceedings-article","created":{"date-parts":[[2024,12,9]],"date-time":"2024-12-09T12:19:20Z","timestamp":1733746760000},"page":"2934-2948","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":4,"title":["Detecting Broken Object-Level Authorization Vulnerabilities in Database-Backed Applications"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0001-7874-6430","authenticated-orcid":false,"given":"Yongheng","family":"Huang","sequence":"first","affiliation":[{"name":"SKLP, Institute of Computing Technology, CAS &amp; University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-3055-8929","authenticated-orcid":false,"given":"Chenghang","family":"Shi","sequence":"additional","affiliation":[{"name":"SKLP, Institute of Computing Technology, CAS &amp; University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4162-0404","authenticated-orcid":false,"given":"Jie","family":"Lu","sequence":"additional","affiliation":[{"name":"SKLP, Institute of Computing Technology, CAS, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-0931-8767","authenticated-orcid":false,"given":"Haofeng","family":"Li","sequence":"additional","affiliation":[{"name":"SKLP, Institute of Computing Technology, CAS, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-7149-7671","authenticated-orcid":false,"given":"Haining","family":"Meng","sequence":"additional","affiliation":[{"name":"SKLP, Institute of Computing Technology, CAS &amp; University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4476-0541","authenticated-orcid":false,"given":"Lian","family":"Li","sequence":"additional","affiliation":[{"name":"SKLP, Institute of Computing Technology, CAS &amp; University of Chinese Academy of Sciences, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2024,12,9]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2020. Common Vulnerabilities and Exposures (CVE). https:\/\/cve.mitre.org\/."},{"key":"e_1_3_2_1_2_1","unstructured":"Abeer Alhuzali Rigel Gjomemo Birhanu Eshete and VN Venkatakrishnan. 2018. {NAVEX}: Precise and scalable exploit generation for dynamic web applications. In USENIX Security 18. 377--392."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/390013.808479"},{"key":"e_1_3_2_1_4_1","unstructured":"apisecurity.io. 2022. API1:2019 ? Broken object level authorizati. https:\/\/apisecurity.io\/encyclopedia\/content\/owasp\/api1-broken-object-level-authorization.htm."},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"crossref","unstructured":"Peter Bailis Alan Fekete Michael J Franklin Ali Ghodsi Joseph M Hellerstein and Ion Stoica. 2015. Feral concurrency control: An empirical investigation of modern application integrity. In SIGMOD 15. 1327--1342.","DOI":"10.1145\/2723372.2737784"},{"key":"e_1_3_2_1_6_1","unstructured":"Dan Barahona. 2022. What is Broken Object Level Authorization (BOLA) and How to Fix It. https:\/\/www.apisec.ai\/blog\/broken-object-level-authorization."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"crossref","unstructured":"Ivan Bocic and Tevfik Bultan. 2016. Finding access control bugs in web applications with CanCheck. In ASE 16. 155--166.","DOI":"10.1145\/2970276.2970350"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"crossref","unstructured":"An Chen JiHo Lee Basanta Chaulagain Yonghwi Kwon and Kyu Hyung Lee. 2023. SynthDB: Synthesizing Database via Program Analysis for Security Testing of Web Applications.. In NDSS.","DOI":"10.14722\/ndss.2023.24632"},{"key":"e_1_3_2_1_9_1","volume-title":"9th USENIX Symposium on Operating Systems Design and Implementation (OSDI 10)","author":"Chlipala Adam","year":"2010","unstructured":"Adam Chlipala. 2010. Static Checking of {Dynamically-Varying} Security Policies in {Database-Backed} Applications. In 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI 10)."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/115372.115320"},{"key":"e_1_3_2_1_11_1","volume-title":"26th USENIX Security Symposium (USENIX Security 17)","author":"Eykholt Kevin","year":"2017","unstructured":"Kevin Eykholt, Atul Prakash, and Barzan Mozafari. 2017. Ensuring Authorized Updates in Multi-user {Database-Backed} Applications. In 26th USENIX Security Symposium (USENIX Security 17). 1445--1462."},{"key":"e_1_3_2_1_12_1","volume-title":"19th USENIX Security Symposium (USENIX Security 10)","author":"Felmetsger Viktoria","year":"2010","unstructured":"Viktoria Felmetsger, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2010. Toward automated detection of logic vulnerabilities in web applications. In 19th USENIX Security Symposium (USENIX Security 10)."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1049\/iet-ifs.2018.5615"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1049\/iet-sen.2019.0186"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"crossref","unstructured":"Yang Hu Wenxi Wang Casen Hunger Riley Wood Sarfraz Khurshid and Mohit Tiwari. 2021. ACHyb: a hybrid analysis approach to detect kernel access control vulnerabilities. In ESEC\/FSE 21. 316--327.","DOI":"10.1145\/3468264.3468627"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"crossref","unstructured":"Haochen Huang Bingyu Shen Li Zhong and Yuanyuan Zhou. 2023. Protecting data integrity of web applications with database constraints inferred from application code. In ASPLOS 23. 632--645.","DOI":"10.1145\/3575693.3575699"},{"key":"e_1_3_2_1_17_1","unstructured":"Stepan Ilyin. 2024. What is Broken Object Level Authorization? https:\/\/www.wallarm.com\/what\/broken-object-level-authorization."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10844-019-00562-z"},{"key":"e_1_3_2_1_19_1","unstructured":"JSQLParser. 2024. Java SQL Parser. https:\/\/jsqlparser.github.io\/JSqlParser\/."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.5120\/20082-2148"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.5220\/0010300102040216"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"crossref","unstructured":"Xiaowei Li Xujie Si and Yuan Xue. 2014. Automated black-box detection of access control vulnerabilities in web applications. In CODASPY 14. 49--60.","DOI":"10.1145\/2557547.2557552"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.14778\/3583140.3583141"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"crossref","unstructured":"Jie Lu Haofeng Li Chen Liu Lian Li and Kun Cheng. 2022. Detecting missing-permission-check vulnerabilities in distributed cloud systems. In CCS 22. 2145--2158.","DOI":"10.1145\/3548606.3560589"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"crossref","unstructured":"Changhua Luo Penghui Li and Wei Meng. 2022. TChecker: Precise static inter-procedural analysis for detecting taint-style vulnerabilities in PHP applications. In CCS 22. 2175--2188.","DOI":"10.1145\/3548606.3559391"},{"key":"e_1_3_2_1_26_1","volume-title":"Nemesis: Preventing authentication and access control vulnerabilities in web applications.","author":"Dalton N. Zeldovich M.","year":"2009","unstructured":"N. Zeldovich M. Dalton, C. Kozyrakis. 2009. Nemesis: Preventing authentication and access control vulnerabilities in web applications. (2009)."},{"key":"e_1_3_2_1_27_1","volume-title":"IDOT: Black-Box Detection of Access Control Violations in Web Applications. ISeCure 13, 2","author":"Hadavi S. Ghasemi M.A.","year":"2021","unstructured":"S. Ghasemi M.A. Hadavi, A. Bagherdaei. 2021. IDOT: Black-Box Detection of Access Control Violations in Web Applications. ISeCure 13, 2 (2021)."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660337"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"crossref","unstructured":"Divya Muthukumaran Dan O'Keeffe Christian Priebe David Eyers Brian Shand and Peter Pietzuch. 2015. FlowWatcher: Defending against data disclosure vulnerabilities in web applications. In CCS 15. 603--615.","DOI":"10.1145\/2810103.2813639"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884836"},{"key":"e_1_3_2_1_31_1","unstructured":"Eric Olsson Benjamin Eriksson Adam Doup\u00e9 and Andrei Sabelfeld. [n. d.]. Spider-Scents: Grey-box Database-aware Web Scanning for Stored XSS. ([n. d.])."},{"key":"e_1_3_2_1_32_1","unstructured":"owsap. 2023. API1:2023 Broken Object Level Authorization. https:\/\/owasp.org\/API-Security\/editions\/2023\/en\/0xa1-broken-object-level-authorization\/."},{"key":"e_1_3_2_1_33_1","unstructured":"owsap. 2023. API5:2023 Broken Function Level Authorization. https:\/\/owasp.org\/API-Security\/editions\/2023\/en\/0xa5-broken-function-level-authorization\/."},{"volume-title":"OWASP Top 10 API Security Risks --","year":"2023","key":"e_1_3_2_1_34_1","unstructured":"owsap. 2023. OWASP Top 10 API Security Risks -- 2023. https:\/\/owasp.org\/API-Security\/editions\/2023\/en\/0x11-t10\/."},{"key":"e_1_3_2_1_35_1","unstructured":"owsap. 2024. SQL Injection. https:\/\/owasp.org\/www-community\/attacks\/SQL_Injection."},{"key":"e_1_3_2_1_36_1","unstructured":"owsap. 2024. XSS. https:\/\/owasp.org\/www-community\/attacks\/xss\/."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.21"},{"key":"e_1_3_2_1_38_1","volume-title":"Penetration Testing on Web Application Using Insecure Direct Object References (IDOR) Method. In 2022 International Conference on ICT for Smart Society (ICISS). IEEE, 01--07","author":"Eka Pratama I Putu Agus","year":"2022","unstructured":"I Putu Agus Eka Pratama and Alvin Maulana Rhusuli. 2022. Penetration Testing on Web Application Using Insecure Direct Object References (IDOR) Method. In 2022 International Conference on ICT for Smart Society (ICISS). IEEE, 01--07."},{"key":"e_1_3_2_1_39_1","unstructured":"reddelexc. 2023. Top IDOR reports from HackerOne. https:\/\/github.com\/reddelexc\/hackerone-reports\/blob\/master\/tops_by_bug_type\/TOPIDOR.md."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1007\/s42979-022-01271-1"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"crossref","unstructured":"Sooel Son Kathryn S McKinley and Vitaly Shmatikov. 2011. Rolecast: finding missing security checks when you do not know what checks are. In OOPSLA 11. 1069--1084.","DOI":"10.1145\/2048066.2048146"},{"key":"e_1_3_2_1_42_1","first-page":"1043","article-title":"Splendor","volume":"23","author":"Su He","year":"2023","unstructured":"He Su, Feng Li, Lili Xu, Wenbo Hu, Yujie Sun, Qing Sun, Huina Chao, and Wei Huo. 2023. Splendor: Static Detection of Stored XSS in Modern Web Applications. In ISSTA 23. 1043--1054.","journal-title":"In ISSTA"},{"key":"e_1_3_2_1_43_1","volume-title":"USENIX Security Symposium","volume":"64","author":"Sun Fangqi","year":"2011","unstructured":"Fangqi Sun, Liang Xu, and Zhendong Su. 2011. Static Detection of Access Control Vulnerabilities in Web Applications.. In USENIX Security Symposium, Vol. 64."},{"key":"e_1_3_2_1_44_1","volume-title":"USENIX Security Symposium. 379--394","author":"Tan Lin","year":"2008","unstructured":"Lin Tan, Xiaolan Zhang, Xiao Ma, Weiwei Xiong, and Yuanyuan Zhou. 2008. AutoISES: Automatically Inferring Security Specification and Detecting Violations.. In USENIX Security Symposium. 379--394."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179317"},{"volume-title":"WiSPNET 16","author":"Vithanage Nisal Madhushan","key":"e_1_3_2_1_46_1","unstructured":"Nisal Madhushan Vithanage and Neera Jeyamohan. 2016. WebGuardia-An integrated penetration testing system to detect web application vulnerabilities. In WiSPNET 16. IEEE, 221--227."},{"volume-title":"S&P 24","author":"Wang Enze","key":"e_1_3_2_1_47_1","unstructured":"Enze Wang, Jianjun Chen, Wei Xie, Chuhan Wang, Yifei Gao, Zhenhua Wang, Haixin Duan, Yang Liu, and Baosheng Wang. 2024. Where URLs Become Weapons: Automated Discovery of SSRF Vulnerabilities in Web Applications. In S&P 24. IEEE Computer Society, 216--216."},{"key":"e_1_3_2_1_48_1","unstructured":"The world's first bug bounty latform for AI\/ML. 2024. Common Vulnerabilities and Exposures (CVE). https:\/\/huntr.com\/."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"crossref","unstructured":"W. Xu L. Huang A. Fox D. Patterson and M.I. Jordan. 2009. Detecting large-scale system problems by mining console logs. In SOSP 09. 117--132.","DOI":"10.1145\/1629575.1629587"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380375"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"crossref","unstructured":"Junwen Yang Pranav Subramaniam Shan Lu Cong Yan and Alvin Cheung. 2018. How not to structure your database-backed web applications: a study of performance bugs in the wild. In ICSE 18. 800--810.","DOI":"10.1145\/3180155.3180194"},{"key":"e_1_3_2_1_52_1","unstructured":"Chendong Yu Yang Xiao Jie Lu Yuekang Li Yeting Li Lian Li Yifan Dong Jian Wang Jingyi Shi Defang Bo et al . [n. d.]. File Hijacking Vulnerability: The Elephant in the Room. ([n. d.])."},{"key":"e_1_3_2_1_53_1","volume-title":"28th USENIX Security Symposium. 1205--1220","author":"Zhang Tong","year":"2019","unstructured":"Tong Zhang, Wenbo Shen, Dongyoon Lee, Changhee Jung, Ahmed M Azab, and Ruowen Wang. 2019. Pex: A permission check analysis framework for linux kernel. In 28th USENIX Security Symposium. 1205--1220."},{"key":"e_1_3_2_1_54_1","volume-title":"Yu Luo, Ding Yuan, and Michael Stumm.","author":"Zhao Xu","year":"2014","unstructured":"Xu Zhao, Yongle Zhang, David Lion, Muhammad Faizan Ullah, Yu Luo, Ding Yuan, and Michael Stumm. 2014. lprof: A non-intrusive request flow profiler for distributed systems. In OSDI 14. 629--644."},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134089"}],"event":{"name":"CCS '24: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Salt Lake City UT USA","acronym":"CCS '24"},"container-title":["Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3690227","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3658644.3690227","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T06:08:37Z","timestamp":1755842917000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3690227"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,12,2]]},"references-count":55,"alternative-id":["10.1145\/3658644.3690227","10.1145\/3658644"],"URL":"https:\/\/doi.org\/10.1145\/3658644.3690227","relation":{},"subject":[],"published":{"date-parts":[[2024,12,2]]},"assertion":[{"value":"2024-12-09","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}