Misconfigured access control in web applications remains a leading cause of data breaches, yet existing techniques lack automated, systematic security testing for permission changes. This paper introduces ACtests, a lightweight, end-to-end access control change-testing framework. It leverages containerized micro-production environments, runtime request injection, policy differential analysis, and behavioral impact tracing to establish the first high-performance testing paradigm specifically targeting configuration-change impacts. ACtests enables automated identification of unintended interactions and privilege bypass risks in near-production settings. Evaluated on 193 publicly available web application configuration images, it uncovered 168 previously unknown vulnerabilities—54 confirmed and 44 already patched. Furthermore, across five real-world systems—including Wikipedia—it achieved 100% coverage of configuration-change impacts, demonstrating both scalability and practical efficacy in production-relevant contexts.

Access-control misconfigurations are among the main causes of today's data breaches in web applications. However, few techniques are available to support automatic and systematic testing for access-control changes and detecting risky changes to prevent severe consequences. As a result, those critical security configurations often lack testing, or are tested manually in an ad hoc way. This paper advocates that tests should be made available for users to test access-control configuration changes. The key challenges are such tests need to be run with production environments (to reason end-to-end behavior) and need to be performance-efficient. We present a new approach to create such tests, as a mini test environment incorporating production program and data, called ACtests. ACtests report the impacts of access-control changes, namely the requests that were denied but would be allowed after a change, and vice versa. Users can validate if the changed requests are intended or not and identify potential security vulnerabilities. We evaluate ACtests with 193 public configurations of widely-used web applications on Dockerhub. ACtests detect 168 new vulnerabilities from 72 configuration images. We report them to the image maintainers: 54 of them have been confirmed and 44 have been fixed. We also conduct in-depth experiments with five real-world deployed systems, including Wikipedia and a commercial company's web proxy. Our results show that ACtests effectively and efficiently detect all the change impacts.