Broken Access Control (BAC) vulnerabilities—including BOLA and BFLA—are challenging to detect automatically in web applications due to the lack of reliable testing benchmarks and semantically valid attack requests. To address this, we propose the first grey-box fuzzing framework tailored for PHP applications. Our approach innovatively integrates LLM-guided parameter selection, runtime context-aware instrumentation, and backend semantic validation based on SQL query analysis. Lightweight instrumentation and precise SQL semantics enable high-accuracy vulnerability identification. Evaluated on 20 real-world PHP applications, our framework successfully detects 16 out of 17 known BAC vulnerabilities and discovers 26 previously unknown ones, achieving a significantly lower false-positive rate than state-of-the-art methods. All identified vulnerabilities have been responsibly disclosed.

Broken Access Control (BAC) remains one of the most critical and widespread vulnerabilities in web applications, allowing attackers to access unauthorized resources or perform privileged actions. Despite its severity, BAC is underexplored in automated testing due to key challenges: the lack of reliable oracles and the difficulty of generating semantically valid attack requests. We introduce BACFuzz, the first gray-box fuzzing framework specifically designed to uncover BAC vulnerabilities, including Broken Object-Level Authorization (BOLA) and Broken Function-Level Authorization (BFLA) in PHP-based web applications. BACFuzz combines LLM-guided parameter selection with runtime feedback and SQL-based oracle checking to detect silent authorization flaws. It employs lightweight instrumentation to capture runtime information that guides test generation, and analyzes backend SQL queries to verify whether unauthorized inputs flow into protected operations. Evaluated on 20 real-world web applications, including 15 CVE cases and 2 known benchmarks, BACFuzz detects 16 of 17 known issues and uncovers 26 previously unknown BAC vulnerabilities with low false positive rates. All identified issues have been responsibly disclosed, and artifacts will be publicly released.