{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:15:00Z","timestamp":1766441700160,"version":"3.48.0"},"publisher-location":"New York, NY, USA","reference-count":62,"publisher":"ACM","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,19]]},"DOI":"10.1145\/3719027.3744825","type":"proceedings-article","created":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T23:32:38Z","timestamp":1763854358000},"page":"1320-1333","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["BACScan: Automatic Black-Box Detection of Broken-Access-Control Vulnerabilities in Web Applications"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-4680-6513","authenticated-orcid":false,"given":"Fengyu","family":"Liu","sequence":"first","affiliation":[{"name":"Fudan University, Shanghai, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0726-9996","authenticated-orcid":false,"given":"Yuan","family":"Zhang","sequence":"additional","affiliation":[{"name":"Fudan University, Shanghai, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-8141-7319","authenticated-orcid":false,"given":"Enhao","family":"Li","sequence":"additional","affiliation":[{"name":"Fudan University, Shanghai, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8260-3304","authenticated-orcid":false,"given":"Wei","family":"Meng","sequence":"additional","affiliation":[{"name":"The Chinese University of Hong Kong, Hong Kong SAE, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-0763-4732","authenticated-orcid":false,"given":"Youkun","family":"Shi","sequence":"additional","affiliation":[{"name":"Fudan University, Shanghai, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-5619-8384","authenticated-orcid":false,"given":"Qianheng","family":"Wang","sequence":"additional","affiliation":[{"name":"Fudan University, Shanghai, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-0588-3005","authenticated-orcid":false,"given":"Chenlin","family":"Wang","sequence":"additional","affiliation":[{"name":"The Chinese University of Hong Kong, Hong Kong SAR, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-2055-951X","authenticated-orcid":false,"given":"Zihan","family":"Lin","sequence":"additional","affiliation":[{"name":"Fudan University, Shanghai, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9714-5545","authenticated-orcid":false,"given":"Min","family":"Yang","sequence":"additional","affiliation":[{"name":"Fudan University, Shanghai, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Amazon Official Website. https:\/\/www.amazon.com."},{"key":"e_1_3_2_1_2_1","unstructured":"CVE Program. https:\/\/www.cve.org\/About\/Overview."},{"key":"e_1_3_2_1_3_1","unstructured":"CWE200. https:\/\/cwe.mitre.org\/data\/definitions\/200.html."},{"key":"e_1_3_2_1_4_1","unstructured":"CWE284. https:\/\/cwe.mitre.org\/data\/definitions\/284.html."},{"key":"e_1_3_2_1_5_1","unstructured":"Evocrawl on Github. https:\/\/github.com\/dlgroupuoft\/evocrawl."},{"key":"e_1_3_2_1_6_1","unstructured":"Exploit DB. https:\/\/www.exploit-db.com\/."},{"key":"e_1_3_2_1_7_1","unstructured":"Huntr platform. https:\/\/huntr.com\/."},{"key":"e_1_3_2_1_8_1","unstructured":"Openemr on Github. https:\/\/github.com\/openemr\/openemr."},{"key":"e_1_3_2_1_9_1","unstructured":"Paypal Official Website. https:\/\/www.paypal.com."},{"key":"e_1_3_2_1_10_1","unstructured":"Playwright on Github. https:\/\/playwright.dev\/python\/."},{"key":"e_1_3_2_1_11_1","unstructured":"Supermarket on Github. https:\/\/github.com\/ZongXR\/SuperMarket."},{"key":"e_1_3_2_1_12_1","unstructured":"The Official Website of BurpSuite. https:\/\/portswigger.net\/burp."},{"key":"e_1_3_2_1_13_1","unstructured":"The Official Website of BurpSuite's BApp Store. https:\/\/portswigger.net\/bappstore."},{"key":"e_1_3_2_1_14_1","unstructured":"The Official Website of Github. https:\/\/github.com\/."},{"key":"e_1_3_2_1_15_1","unstructured":"Top BAC reports from HackerOne. https:\/\/github.com\/reddelexc\/hackerone-reports\/blob\/master\/tops_by_bug_type\/TOPIDOR.md."},{"key":"e_1_3_2_1_16_1","unstructured":"Top BAC reports from HackerOne. https:\/\/github.com\/reddelexc\/hackerone-reports\/blob\/master\/tops_by_bug_type\/TOPAUTHORIZATION.md."},{"key":"e_1_3_2_1_17_1","unstructured":"WeBid on Github. https:\/\/github.com\/renlok\/WeBid."},{"key":"e_1_3_2_1_18_1","volume-title":"https:\/\/owasp.org\/API-Security\/editions\/2019\/en\/0x11-t10\/","author":"OWASP","year":"2019","unstructured":"OWASP Top 10 - 2019. https:\/\/owasp.org\/API-Security\/editions\/2019\/en\/0x11-t10\/, 2019."},{"key":"e_1_3_2_1_19_1","volume-title":"https:\/\/owasp.org\/Top10\/A01_2021-Broken_Access_Control\/","author":"OWASP","year":"2021","unstructured":"OWASP Top 10 - 2021. https:\/\/owasp.org\/Top10\/A01_2021-Broken_Access_Control\/, 2021."},{"key":"e_1_3_2_1_20_1","volume-title":"https:\/\/securityboulevard.com\/2023\/03\/23-most-notorious-hacks-history-that-fall-under-owasp-top-10\/","author":"History Notorious Hacks","year":"2023","unstructured":"Notorious Hacks in History. https:\/\/securityboulevard.com\/2023\/03\/23-most-notorious-hacks-history-that-fall-under-owasp-top-10\/, 2023."},{"key":"e_1_3_2_1_21_1","volume-title":"https:\/\/owasp.org\/API-Security\/editions\/2023\/en\/0x11-t10\/","author":"OWASP","year":"2023","unstructured":"OWASP Top 10 - 2023. https:\/\/owasp.org\/API-Security\/editions\/2023\/en\/0x11-t10\/, 2023."},{"key":"e_1_3_2_1_22_1","volume-title":"https:\/\/www.apisec.ai\/blog\/5-real-world-examples-of-business-logic-vulnerabilities-that-resulted-in-data-breaches","author":"Breach News Serious Data","year":"2023","unstructured":"Serious Data Breach News. https:\/\/www.apisec.ai\/blog\/5-real-world-examples-of-business-logic-vulnerabilities-that-resulted-in-data-breaches, 2023."},{"key":"e_1_3_2_1_23_1","volume-title":"VN Venkatakrishnan. NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications. In 27th USENIX Security Symposium (USENIX Security 18)","author":"Alhuzali Abeer","year":"2018","unstructured":"Abeer Alhuzali, Rigel Gjomemo, Birhanu Eshete, and VN Venkatakrishnan. NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications. In 27th USENIX Security Symposium (USENIX Security 18), 2018."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2005.23"},{"key":"e_1_3_2_1_25_1","first-page":"334","volume-title":"Efficient and flexible discovery of php application vulnerabilities. In 2017 IEEE european symposium on security and privacy (EuroS&P)","author":"Backes Michael","year":"2017","unstructured":"Michael Backes, Konrad Rieck, Malte Skoruppa, Ben Stock, and Fabian Yamaguchi. Efficient and flexible discovery of php application vulnerabilities. In 2017 IEEE european symposium on security and privacy (EuroS&P), pages 334-349. IEEE, 2017."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3551349.3556910"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23262"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2018.01.008"},{"key":"e_1_3_2_1_29_1","first-page":"523","volume-title":"21st USENIX Security Symposium (USENIX Security 12)","author":"Doup\u00e9 Adam","year":"2012","unstructured":"Adam Doup\u00e9, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. Enemy of the state: A {state-aware}{black-box} web vulnerability scanner. In 21st USENIX Security Symposium (USENIX Security 12), pages 523-538, 2012."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-14215-4_7"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.24169"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00022"},{"key":"e_1_3_2_1_33_1","first-page":"7231","article-title":"Hypertext transfer protocol (http\/1.1): Semantics and content","author":"Fielding Roy","year":"2014","unstructured":"Roy Fielding and Julian Reschke. Hypertext transfer protocol (http\/1.1): Semantics and content. RFC 7231, 2014.","journal-title":"RFC"},{"key":"e_1_3_2_1_34_1","volume-title":"USENIX Security Symposium","author":"G\u00fcler Emre","year":"2024","unstructured":"Emre G\u00fcler, Sergej Schumilo, Moritz Schloegel, Nils Bars, Philipp G\u00f6rz, Xinyi Xu, Cemal Kaygusuz, and Thorsten Holz. Atropos: Effective fuzzing of web applications for server-side vulnerabilities. In USENIX Security Symposium, 2024."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2025.230366"},{"key":"e_1_3_2_1_36_1","volume-title":"Engin Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In 2006 IEEE Symposium on Security and Privacy (S&P'06)","author":"Jovanovic Nenad","year":"2006","unstructured":"Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In 2006 IEEE Symposium on Security and Privacy (S&P'06), 2006."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.5220\/0010300102040216"},{"key":"e_1_3_2_1_38_1","volume-title":"Li and Wei Meng. Lchecker: Detecting Loose Comparison Bugs in PHP. In Proceedings of the Web Conference 2021","author":"Penghui","year":"2021","unstructured":"Penghui Li and Wei Meng. Lchecker: Detecting Loose Comparison Bugs in PHP. In Proceedings of the Web Conference 2021, 2021."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00197"},{"key":"e_1_3_2_1_40_1","volume-title":"Yuan Xue. Automated Black-box Detection of Access Control Vulnerabilities in Web Applications. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy","author":"Li Xiaowei","year":"2014","unstructured":"Xiaowei Li, Xujie Si, and Yuan Xue. Automated Black-box Detection of Access Control Vulnerabilities in Web Applications. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, 2014."},{"key":"e_1_3_2_1_41_1","volume-title":"Li and Yuan Xue. Block: A Black-box Approach for Detection of State Violation Attacks Towards Web Applications. In Proceedings of the 27th Annual Computer Security Applications Conference","author":"Xiaowei","year":"2011","unstructured":"Xiaowei Li and Yuan Xue. Block: A Black-box Approach for Detection of State Violation Attacks Towards Web Applications. In Proceedings of the 27th Annual Computer Security Applications Conference, 2011."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/2484313.2484375"},{"key":"e_1_3_2_1_43_1","first-page":"10","volume-title":"2025 IEEE Symposium on Security and Privacy (SP)","author":"Liu Fengyu","year":"2024","unstructured":"Fengyu Liu, Youkun Shi, Yuan Zhang, Guangliang Yang, Enhao Li, and Min Yang. Mocguard: Automatically detecting missing-owner-check vulnerabilities in java web applications. In 2025 IEEE Symposium on Security and Privacy (SP), pages 10-10. IEEE Computer Society, 2024."},{"key":"e_1_3_2_1_44_1","volume-title":"Kun Cheng. Detecting Missing-Permission-Check Vulnerabilities in Distributed Cloud Systems. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security","author":"Lu Jie","year":"2022","unstructured":"Jie Lu, Haofeng Li, Chen Liu, Lian Li, and Kun Cheng. Detecting Missing-Permission-Check Vulnerabilities in Distributed Cloud Systems. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3559391"},{"key":"e_1_3_2_1_46_1","first-page":"690","volume-title":"VN Venkatakrishnan. MACE: Detecting Privilege Escalation Vulnerabilities in Web Applications. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security","author":"Monshizadeh Maliheh","year":"2014","unstructured":"Maliheh Monshizadeh, Prasad Naldurg, and VN Venkatakrishnan. MACE: Detecting Privilege Escalation Vulnerabilities in Web Applications. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 690-701, 2014."},{"key":"e_1_3_2_1_47_1","first-page":"6741","volume-title":"33rd USENIX Security Symposium (USENIX Security 24)","author":"Olsson Eric","year":"2024","unstructured":"Eric Olsson, Benjamin Eriksson, Adam Doup\u00e9, and Andrei Sabelfeld. {Spider-Scents}: Grey-box database-aware web scanning for stored {XSS}. In 33rd USENIX Security Symposium (USENIX Security 24), pages 6741-6758, 2024."},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00210"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1142\/S0218194023500298"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1007\/s42979-022-01271-1"},{"key":"e_1_3_2_1_51_1","volume-title":"RAID 2015, Kyoto, Japan, November 2-4, 2015. Proceedings","author":"Rossow Christian","year":"2015","unstructured":"Christian Rossow. jAk: Using Dynamic Analysis to Crawl and Test Modern Web Applications. In Research in Attacks, Intrusions, and Defenses: 18th International Symposium, RAID 2015, Kyoto, Japan, November 2-4, 2015. Proceedings, 2015."},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2048066.2048146"},{"key":"e_1_3_2_1_53_1","volume-title":"NDSS. Citeseer","author":"Son Sooel","year":"2013","unstructured":"Sooel Son, Kathryn S McKinley, and Vitaly Shmatikov. Fix Me Up: Repairing Access-Control Bugs in Web Applications. In NDSS. Citeseer, 2013."},{"key":"e_1_3_2_1_54_1","volume-title":"Zhendong Su. Static Detection of Access Control Vulnerabilities in Web Applications. In 20th USENIX Security Symposium (USENIX Security 11)","author":"Sun Fangqi","year":"2011","unstructured":"Fangqi Sun, Liang Xu, and Zhendong Su. Static Detection of Access Control Vulnerabilities in Web Applications. In 20th USENIX Security Symposium (USENIX Security 11), 2011."},{"key":"e_1_3_2_1_55_1","volume-title":"Yuanyuan Zhou. AutoISES: Automatically Inferring Security Specification and Detecting Violations. In USENIX Security Symposium","author":"Tan Lin","year":"2008","unstructured":"Lin Tan, Xiaolan Zhang, Xiao Ma, Weiwei Xiong, and Yuanyuan Zhou. AutoISES: Automatically Inferring Security Specification and Detecting Violations. In USENIX Security Symposium, 2008."},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179317"},{"key":"e_1_3_2_1_57_1","volume-title":"Konrad Rieck. Modeling and Discovering Vulnerabilities with Code Property Graphs. In 2014 IEEE Symposium on Security and Privacy","author":"Yamaguchi Fabian","year":"2014","unstructured":"Fabian Yamaguchi, Nico Golde, Daniel Arp, and Konrad Rieck. Modeling and Discovering Vulnerabilities with Code Property Graphs. In 2014 IEEE Symposium on Security and Privacy, 2014."},{"key":"e_1_3_2_1_58_1","volume-title":"Proceedings of the 31st ACM Conference on Computer and Communications Security (CCS)","author":"Yongheng Huang","year":"2024","unstructured":"Huang Yongheng, Shi Chenghang, Lu Jie, Li Haofeng, Meng Haining, and Li Lian. Detecting broken object-level authorization vulnerabilities in database-backed applications. In Proceedings of the 31st ACM Conference on Computer and Communications Security (CCS), October 2024."},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2007.1078"},{"key":"e_1_3_2_1_60_1","volume-title":"Ruowen Wang. Pex: A Permission Check Analysis Framework for Linux Kernel. In 28th USENIX Security Symposium","author":"Zhang Tong","year":"2019","unstructured":"Tong Zhang, Wenbo Shen, Dongyoon Lee, Changhee Jung, Ahmed M Azab, and Ruowen Wang. Pex: A Permission Check Analysis Framework for Linux Kernel. In 28th USENIX Security Symposium, 2019."},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/2752952.2752976"},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134089"}],"event":{"name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Taipei Taiwan","acronym":"CCS '25"},"container-title":["Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3744825","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:11:13Z","timestamp":1766441473000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3719027.3744825"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,19]]},"references-count":62,"alternative-id":["10.1145\/3719027.3744825","10.1145\/3719027"],"URL":"https:\/\/doi.org\/10.1145\/3719027.3744825","relation":{},"subject":[],"published":{"date-parts":[[2025,11,19]]},"assertion":[{"value":"2025-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}