A2CT: Automated Detection of Function and Object-Level Access Control Vulnerabilities in Web Applications

Michael Schlaubitz; Onur Veyisoglu; Marc Rennhard

doi:10.5220/0013092700003899

A2CT: Automated Detection of Function and Object-Level Access Control Vulnerabilities in Web Applications

Michael Schlaubitz, Onur Veyisoglu, Marc Rennhard

2025

Abstract

In view of growing security risks, automated security testing of web applications is getting more and more important. There already exist capable tools to detect common vulnerability types such as SQL injection or cross-site scripting. Access control vulnerabilities, however, are still a vulnerability category that is much harder to detect in an automated fashion, while at the same time representing a highly relevant security problem in practice. In this paper, we present A2CT, a practical approach for the automated detection of access control vulnerabilities in web applications. A2CT supports most web applications and can detect vulnerabilities in the context of all HTTP request types (GET, POST, PUT, PATCH, DELETE). To demonstrate the practical usefulness of A2CT, an evaluation based on 30 publicly available web applications was done. Overall, A2CT managed to uncover 14 previously unknown vulnerabilities in two of these web applications, which resulted in six published CVE records. To encourage further research, the source code of A2CT is made available under an open-source license.

Download

Paper Citation

in Harvard Style

Schlaubitz M., Veyisoglu O. and Rennhard M. (2025). A2CT: Automated Detection of Function and Object-Level Access Control Vulnerabilities in Web Applications. In Proceedings of the 11th International Conference on Information Systems Security and Privacy - Volume 2: ICISSP; ISBN 978-989-758-735-1, SciTePress, pages 425-436. DOI: 10.5220/0013092700003899

in Bibtex Style

@conference{icissp25,
author={Michael Schlaubitz and Onur Veyisoglu and Marc Rennhard},
title={A2CT: Automated Detection of Function and Object-Level Access Control Vulnerabilities in Web Applications},
booktitle={Proceedings of the 11th International Conference on Information Systems Security and Privacy - Volume 2: ICISSP},
year={2025},
pages={425-436},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0013092700003899},
isbn={978-989-758-735-1},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 11th International Conference on Information Systems Security and Privacy - Volume 2: ICISSP
TI - A2CT: Automated Detection of Function and Object-Level Access Control Vulnerabilities in Web Applications
SN - 978-989-758-735-1
AU - Schlaubitz M.
AU - Veyisoglu O.
AU - Rennhard M.
PY - 2025
SP - 425
EP - 436
DO - 10.5220/0013092700003899
PB - SciTePress