Broken access control is one of the most common security vulnerabilities in web applications. These vulnerabilities are the major cause of many data breach incidents, which result in privacy concern and revenue loss. However, preventing and detecting access control vulnerabilities proactively in web applications could be difficult. Currently, these vulnerabilities are actively detected by bug bounty hunters post-deployment, which creates attack windows for malicious access. To solve this problem proactively requires security awareness and expertise from developers, which calls for systematic solutions. This survey targets to provide a structured overview of approaches that tackle access control vulnerabilities. It firstly discusses the unique feature of access control vulnerabilities, then studies the existing works proposed to tackle access control vulnerabilities in web applications, which span the spectrum of software development from software design and implementation, software analysis and testing, and runtime monitoring. At last we discuss the open problem in this field.

翻译：访问控制失效是Web应用中最常见的安全漏洞之一。这些漏洞是导致众多数据泄露事件的主要原因，进而引发隐私问题和收入损失。然而，在Web应用中主动预防和检测访问控制漏洞可能具有挑战性。当前，这些漏洞通常在部署后由漏洞赏金猎人主动发现，从而为恶意访问创造了攻击窗口。要主动解决此问题，需要开发人员具备安全意识和专业知识，这呼唤系统化解决方案。本综述旨在提供应对访问控制漏洞方法的结构化概述。首先讨论访问控制漏洞的独特特征，随后研究现有应对Web应用中访问控制漏洞的工作，这些工作涵盖了软件开发的完整谱系，包括软件设计与实现、软件分析与测试以及运行时监控。最后，我们探讨该领域中的开放性问题。