View in EDS

Broken Access Control Risks in Open-SourceJavaScript Project: A Security Analysis

Saved in:

Bibliographic Details
Title:	Broken Access Control Risks in Open-SourceJavaScript Project: A Security Analysis
Authors:	Ayusinta, Rima
Publisher Information:	Mittuniversitetet, Institutionen för kommunikation, kvalitetsteknik och informationssystem (2023-)
Publication Year:	2025
Collection:	Mid Sweden University: Publications (DiVA)
Subject Terms:	Broken Access Control, Open-Source Software, JavaScript Security, Static Code Analysis, Vulnerability Detection, Software Engineering, Programvaruteknik
Description:	Context: Broken Access Control (BAC) has beenidentified as the most critical web security issue by OWASP.Open-source JavaScript projects, while enablingcollaboration and transparency, remain particularlyvulnerable to BAC due to their visibility and diversecontributor base.Objective: This study investigates the prevalence andpatterns of BAC vulnerabilities in open-source JavaScriptprojects. The goal is to understand how these flaws manifest,how they can be systematically detected, and whethercurrent detection methods are effective in real-worldscenarios.Method: A hybrid methodology was applied consisting ofautomated static code analysis using Semgrep and manualpenetration testing. A GitHub mining script was used tocollect a curated dataset of 166 actively maintainedJavaScript repositories, selected based on access-controlrelated keywords and popularity metrics. Custom Semgreprules were developed to detect BAC categories includingInsecure Direct Object References (IDOR), unprotectedroutes, forced browsing, and token or sessionmisconfigurations. Manual validation was conducted inisolated Docker environments and Postman program toconfirm exploitability.Results: Of the 166 analyzed repositories, 33 were flagged bySemgrep, and 5 were confirmed to contain real, exploitableBAC vulnerabilities through manual testing. Validatedvulnerabilities included unauthenticated endpoints,parameter-based access to privileged functions, and insecureCORS or token handling. Although static analysis proveduseful in surfacing suspicious patterns, it exhibited a highfalse positive rate and lacked contextual understanding ofruntime authorization.Conclusion: The findings reveal recurring patterns of BACvulnerabilities in open-source JavaScript applications. Whilestatic tools like Semgrep proved useful for initial screening,they must be paired with manual validation to ensureaccurate assessment.
Document Type:	bachelor thesis
File Description:	application/pdf
Language:	English
Availability:	http://urn.kb.se/resolve?urn=urn:nbn:se:miun:diva-55508
Rights:	info:eu-repo/semantics/openAccess
Accession Number:	edsbas.9A923C97
Database:	BASE

View record from BASE

Nájsť tento článok vo Web of Science

Description
Abstract:	Context: Broken Access Control (BAC) has beenidentified as the most critical web security issue by OWASP.Open-source JavaScript projects, while enablingcollaboration and transparency, remain particularlyvulnerable to BAC due to their visibility and diversecontributor base.Objective: This study investigates the prevalence andpatterns of BAC vulnerabilities in open-source JavaScriptprojects. The goal is to understand how these flaws manifest,how they can be systematically detected, and whethercurrent detection methods are effective in real-worldscenarios.Method: A hybrid methodology was applied consisting ofautomated static code analysis using Semgrep and manualpenetration testing. A GitHub mining script was used tocollect a curated dataset of 166 actively maintainedJavaScript repositories, selected based on access-controlrelated keywords and popularity metrics. Custom Semgreprules were developed to detect BAC categories includingInsecure Direct Object References (IDOR), unprotectedroutes, forced browsing, and token or sessionmisconfigurations. Manual validation was conducted inisolated Docker environments and Postman program toconfirm exploitability.Results: Of the 166 analyzed repositories, 33 were flagged bySemgrep, and 5 were confirmed to contain real, exploitableBAC vulnerabilities through manual testing. Validatedvulnerabilities included unauthenticated endpoints,parameter-based access to privileged functions, and insecureCORS or token handling. Although static analysis proveduseful in surfacing suspicious patterns, it exhibited a highfalse positive rate and lacked contextual understanding ofruntime authorization.Conclusion: The findings reveal recurring patterns of BACvulnerabilities in open-source JavaScript applications. Whilestatic tools like Semgrep proved useful for initial screening,they must be paired with manual validation to ensureaccurate assessment.