G.2076Page1GlobalResearchjournalofNaturalScience&Technology(GRJNST)Volume:04-Issue2(2026),2076ISSNP:2790-7643ISSNE:2790-7651www.grjnst.nethttps://doi.org/10.53762/grjnst.04.02.27AuthStateBench:AStandards-AlignedBenchmarkforStatefulAuthorizationandAuthenticationWorkflowsReceived:01April2026.Accepted:23April2026.Published:29April2026MuhammadShahzadKhadim(CorrespondingAuthor)KohatUniversityofScienceandTechnology,Kohat,Pakistanytshahzad257@gmail.comSyedMufassirShahKohatUniversityofScienceandTechnology,Kohat,Pakistanmufassirshah3@gmail.comZubairKhanInternationalIslamicUniversityIslamabadIslamabad,Pakistanzubairafridi2312@gmail.comGRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27Copyright©2026GRJNST.ThisarticleispublishedunderanOpenAccessmodel.ItismadeavailabletothepublicunderthetermsoftheCreativeCommonsAttribution4.0International(CCBY4.0)license,whichpermitsunrestricteduseanddistributionG.2076Page2AbstractAuthenticationandauthorizationweaknessesinmodernwebapplicationsrarelyariseasisolatedrequest-leveldefects.Theyoftendependonrolechanges,sessionlifecycleconditions,objectownershipboundaries,APIauthorizationrules,andbusinessworkflowordering.Existingvulnerabilitybenchmarksandscannerevaluationsremainvaluable,buttheyoftenrepresentweaknessesascode-levelorinput-outputdefectsandthereforeunderrepresentsemanticfailuressuchasIDOR/BOLA,function-levelauthorizationbypass,stale-sessionreuse,tenant-boundaryviolation,privilegetransitionerrors,andworkflowbypass.ThisarticleintroducesAuthStateBench,astandards-alignedbenchmarkdesignformodelingstatefulauthorizationandauthenticationworkflowvulnerabilitiesinwebapplicationsandAPIs.Thestudyusesastructuredliterature-basedandstandards-mappingmethodologythatdrawsonaccess-controltestingresearch,statefulwebtesting,weblogicflawanalysis,scanner-evaluationstudies,vulnerabilitybenchmarkliterature,AI-assistedvulnerability-analysiswork,andmajorsecurityguidanceincludingOWASPTop10,OWASPAPISecurityTop10,OWASPASVS,OWASPWSTG,NISTSSDF,MITRECWE,CISASecurebyDesign,OAuth2.0securityguidance,OpenIDConnect,andsoftware-assurancebenchmarkresources.AuthStateBenchcontributesafour-dimensionalstatemodelbuiltaroundrolestate,sessionstate,object-ownershipstate,andworkflowstate;ascenariotaxonomy;abenchmarkscenariotemplate;standards-mappinglogic;formalscenarioandcoverageequations;andcomparisoncriteriaformanual,scanner-assisted,AI-assisted,andstandards-basedassessment.Thearticledoesnotclaimempiricaldetectionaccuracy,toolexecution,live-systemtesting,ordatasetresults.Instead,itprovidesareproducibledesignartifactandvalidationroadmapforfuturecontrolledimplementationandcomparativeevaluation.Keywords:Webapplicationsecurity;brokenaccesscontrol;authenticationworkflow;authorizationtesting;benchmarkdesign;statefulsecuritytesting1.Introduction1.1BackgroundModernwebapplicationsrarelyfailthroughasingleisolateddefect.Theirsecuritypostureemergesfromtheinteractionofidentityproviders,sessionstores,APIgateways,access-controlmiddleware,object-levelpermissionchecks,businessworkflows,auditmechanisms,andrecoverylogic.Arequestthatappearsharmlessinisolationmaybecomedangerouswhenitisexecutedwiththewrongrole,astalesession,anunownedobjectidentifier,oraskippedworkflowstep.Thisstatefulcharacterisespeciallyvisibleinauthorizationandauthenticationflaws.Ausermaybeauthenticatedbutstillunauthorizedtoperformafunction;anexpiredGRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page3tokenmaybeacceptedafterlogout;anobjectidentifiermayexposeanotheruser'srecord;oraworkflowendpointmayallowanoperationbeforetherequiredapprovalstatehasbeenreached.Thecurrentapplication-securitylandscapeconfirmstheimportanceofthisproblem.OWASPTop10:2025identifiesBrokenAccessControlastheleadingwebapplicationsecurityrisk,andOWASPAPISecurityTop10:2023placesBrokenObjectLevelAuthorizationatthefirstpositionforAPIsecurityrisk[1]-[4].OWASPASVS5.0.0andtheOWASPWebSecurityTestingGuideprovidedeeperverificationandtestingguidanceforauthentication,sessionmanagement,accesscontrol,APIbehavior,andbusinesslogic[5],[6].NISTSSDFandCISASecurebyDesignguidanceframetheseweaknessesassecure-developmentandproduct-responsibilityconcernsratherthanisolatedtestingevents[8],[19],[20].Despitetheavailabilityofthesestandards,thereremainsabenchmark-designproblem.ExistingvulnerabilitybenchmarkssuchasOWASPBenchmark,NISTSARD,andJulietprovidevaluabletool-evaluationsupport,buttheirstructureisstrongerforcode-levelandinput-drivenweaknessclassesthanformulti-stepauthorizationandauthenticationfailuresthatdependonrole,session,object,andworkflowstate[7],[9]-[11].Thisgapmattersbecausescanners,AI-assistedtestingsystems,manualtesters,andsecure-developmentteamsneedcomparablescenariodefinitionsbeforemeaningfulevaluationcanoccur.1.2ProblemStatementThecentralproblemaddressedinthisarticleisthatstatefulauthorizationandauthenticationworkflowvulnerabilitiesaredifficulttobenchmarkusingisolatedHTTPrequests,genericscannersignatures,orcodesnippetsdetachedfromapplicationstate.Aconventionalvulnerabilitytestcaseoftenaskswhetheraspecificpayloadtriggersaspecificresponse.Incontrast,astatefulauthorizationflawmayrequiretwoormoreaccounts,atleastoneprotectedobject,aknownworkflowstate,atokenlifecyclecondition,andanexpectedpolicydecision.Withoutdocumentingtheseconditions,twostudiesmayappeartoevaluatethesamevulnerabilitycategorywhileactuallytestingdifferentsecurityproperties.Thiscreatesthreepracticalweaknessesintheresearchlandscape.First,scannerevaluationscanoverrepresentinput-drivenflawswhileunderrepresentingsemanticauthorizationfailures.Second,AI-assistedtestingstudiesmayclaimprogresswithoutshowingwhetherrole,session,objectownership,andworkflowpreconditionsweremodeled.Third,secure-developmentguidancemayremaindifficulttooperationalizebecausestandardsrequirementsarenottranslatedintobenchmarkscenariotemplates.Theproblemisthereforenotalackofstandardsorindividualtestingtechniques;theproblemistheabsenceofastructuredbenchmarkdesignthatconnectsstandards,statedimensions,scenariocategories,andevaluationcriteria.GRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page41.3ResearchGapPriorworkhasexaminedwebapplicationsecurity,automatedvulnerabilitydetection,access-controlanalysis,businesslogicflaws,scannerperformance,andsoftware-vulnerabilitybenchmarks[26]-[40].However,theliteratureremainsfragmentedwhenthetargetweaknessdependsonacombinationofauthenticatedidentity,authorizationpolicy,objectownership,tokenlifecycle,requestordering,andbusiness-statetransition.Astrongerbenchmarkdesignisneededtomakesuchweaknessesreproducibleandcomparableacrosstestingapproaches.Thepreciseresearchgapisasfollows:existingwebsecurityresearchlacksastandards-alignedbenchmarkdesignthatsystematicallymodelsstatefulauthorizationandauthenticationworkflowvulnerabilitiesusingrole,session,object-ownership,andworkflow-statedimensions.Thisgappreventsconsistentcomparisonofmanualtesting,scanner-assistedtesting,AI-assistedtesting,andstandards-basedreviewforflawssuchasIDOR/BOLA,privilegeescalation,sessionmisuse,roleconfusion,andworkflowbypass.1.4AimandObjectivesTheaimofthisarticleistodesignastandards-alignedbenchmarkmodelforclassifying,structuring,andevaluatingstatefulauthorizationandauthenticationworkflowvulnerabilitiesinmodernwebapplications.Theobjectivesare:(1)toreviewliteratureonbrokenaccesscontrol,authenticationworkflowflaws,statefulwebsecuritytesting,benchmark-basedevaluation,scannerlimitations,andAI-assistedvulnerabilityanalysis;(2)toidentifyrecurringpatternsinvolvingrolemisuse,objectownership,sessionstate,workflowbypass,tokenlifecycleerrors,andprivilegetransitions;(3)tomapthesepatternstoOWASPTop10:2025,OWASPAPISecurityTop10,OWASPASVS,OWASPWSTG,NISTSSDF,CISASecurebyDesignguidance,andMITRECWE;(4)todevelopabenchmarkscenariotaxonomyforstatefulauthorizationandauthenticationworkflowweaknesses;(5)todefineevaluationcriteriaformanualtesting,scanner-assistedtesting,AI-assistedtesting,andstandards-basedreview;and(6)toproposeabenchmarkdocumentationtemplateandfuturevalidationroadmap.1.5ResearchQuestionsRQ1.Whatstatefulauthorizationandauthenticationworkflowvulnerabilitiesaremostfrequentlydiscussedinrecentwebapplicationsecurityliterature?RQ2.Howcanrole,session,objectownership,andworkflowstatebeusedtoclassifyauthenticationandaccess-controlweaknesses?RQ3.HowcanOWASPTop10:2025,OWASPAPISecurityTop10,OWASPASVS,OWASPWSTG,NISTSSDF,CISASecurebyDesignguidance,andMITRECWEbemappedtobenchmarkscenariosforstatefulwebsecuritytesting?RQ4.WhatbenchmarkscenariocategoriesareneededtorepresentIDOR/BOLA,privilegeescalation,sessionmisuse,workflowbypass,roleconfusion,andtokenlifecycleweaknesses?GRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page5RQ5.Whatevaluationcriteriacancomparemanual,scanner-assisted,AI-assisted,andstandards-basedtestingapproacheswithoutreportingunsupportedempiricalresults?RQ6.Whatlimitationsexistincurrentwebsecuritybenchmarksforevaluatingaccess-controlandauthenticationworkflowflaws?RQ7.WhatfuturevalidationpathwayisrequiredtomakeAuthStateBenchsuitableforempiricalcybersecurityresearch?1.6ScopeThescopeofAuthStateBenchisbenchmarkdesign,scenariostructuring,standardsmapping,evaluationlogic,andfuturevalidationplanning.ThearticlefocusesonwebapplicationsandwebAPIswhereauthorizationandauthenticationoutcomesdependonstate.Thebenchmarkdesignisintentionallyabstract:itdoesnotrequireunauthorizedtestingofrealsystems,privatedatasets,exploitdemonstrations,scanneroutput,screenshots,orfabricatedtoolresults.Itissuitableforlaterimplementationincontrolledvulnerableapplications,teachinglaboratories,controlledresearchenvironments,orexpert-reviewexercises.Thescopeexcludesmalwareanalysis,networkintrusiondetection,blockchainsecurity,IoTfirmwaretesting,andgenericAI-in-cybersecuritydiscussionsunlesstheydirectlyinformbenchmark-designprinciples.Thearticlealsoexcludesclaimsofdetectionaccuracybecausenotoolexecutionorempiricalimplementationisreported.1.7ContributionsThisarticlemakesfiveconcretecontributions.First,itproposesAuthStateBench,abenchmark-designartifactforstatefulauthorizationandauthenticationworkflowweaknessesinwebapplicationsandAPIs.Second,itdefinesafour-dimensionalstatemodelthatcapturesrolestate,sessionstate,object-ownershipstate,andworkflowstate.Third,itintroducesatemplateforrepeatablebenchmarkscenarioconstruction.Fourth,itaddsastandards-mappinglayerthatconnectsscenarioclassestoOWASP,ASVS,WSTG,NISTSSDF,CISASecurebyDesign,MITRECWE,OAuth,andOpenIDguidance.Fifth,itdefinesevidence-basedcomparisoncriteriaformanualtesting,scanner-assistedtesting,AI-assistedtesting,andstandards-basedreviewwithoutinventingunsupportedempiricalresults.taxonomyandeditabledocumentationThecontributiondiffersfromagenericOWASPsurveybecauseitdoesnotmerelysummarizeriskcategories.Ittranslatesrecurringaccess-controlandauthenticationfailurepatternsintoreusablescenarioclasses.Italsodiffersfromascanner-evaluationpaperbecauseitdoesnotclaimperformancemeasurements.Instead,itpreparesabenchmarkstructurethatcanlatersupportsuchmeasurementstransparently.GRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page61.8StructureofthePaperSection2reviewskeyconcepts,recentstudies,standards,andlimitationsofexistingwork.Section3presentsAuthStateBenchanditsconceptualcomponents.Section4explainsthestructuredliterature-basedandstandards-mappingmethodology.Section5presentsanalyticalfindings,benchmarkoutputs,standardsalignment,andcomparisonwithexistingapproaches.Section6discussesimplications,limitations,andfutureresearch.Section7concludesthearticle.Fig.1summarizesthearticle'slogicinaroadmapstyle:evidenceisgathered,gapsaresynthesized,thestatemodelisdefined,benchmarkartifactsareproduced,andvalidationisreservedforcontrolledfuturework.Fig.1.ResearchroadmapandlogicalframeworkforAuthStateBench.GRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page72.LiteratureReview2.1KeyConceptsAuthenticationverifiestheidentityofanentity,whileauthorizationdetermineswhetherthatentitymayaccessaresourceorperformafunction.Sessionmanagementmaintainscontinuitybetweenauthenticatedinteractions,oftenthroughcookies,bearertokens,refreshtokens,orserver-sidesessionidentifiers.Object-levelauthorizationcheckswhetherausermayaccessaspecificobjectinstance,notmerelywhethertheuserbelongstoabroadrole.Workflowauthorizationcheckswhetheranactionispermittedataparticularstageofabusinessprocess.Theseconceptsareseparatedanalyticallybutoftenfailtogetherinrealapplications.Abenchmarkforstatefulauthorizationandauthenticationweaknessesmustthereforemodelmorethanavulnerabilitylabel.Forexample,IDOR/BOLAisnotsimply“changinganID.”Itisafailuretoenforceownershiportenantisolationwhenauser-controlledidentifierpointstoaprotectedobject[3],[4],[16]-[18].Similarly,sessionmisusemayincludeinsufficientsessionexpiration,reuseoftokensafterlogout,fixation,privilegetransitionfailures,orincompleteinvalidationafteraccountchanges[15],[21]-[23].Workflowbypassreferstoreachinganendpointorstatetransitionwithoutsatisfyingpreconditionssuchaspayment,approval,verification,orreauthentication.2.2ReviewofRecentStudiesResearchonaccess-controlvulnerabilitydetectionhasdevelopedthroughstaticanalysis,black-boxtesting,role-differentialanalysis,modelinference,andworkflow-basedreasoning.Sunetal.proposedstaticdetectionofaccess-controlvulnerabilitiesbyinferringrole-basedaccessassumptionsfromcode[29].LiandXueintroducedBLOCK,ablack-boxapproachfordetectingstateviolationattacksbyobservingnormalbehaviorandidentifyinginvariantviolations[30].Felmetsgeretal.highlightedthatlogicvulnerabilitiesreceivelessattentionthanclassicinput-validationflaws,eventhoughtheycancauseserioussecurityfailures[31].PellegrinoandBalzarottiexaminedblack-boxdetectionoflogicflawsusingbehavioralpatternsextractedfrominteractions[32].Morerecentworkcontinuestoshowthatauthorizationflawsaredifficulttoevaluatewithoutstatefulcontext.Rennhardetal.presentedanapproachtoautomaticallydetectHTTPGETrequest-basedaccess-controlvulnerabilities[26].Zhongetal.surveyedpreventionanddetectionofaccess-controlvulnerabilitiesinwebapplicationsandemphasizedroles,permissions,resources,andbusinesslogic[27].BACScanaddressedblack-boxdetectionofbrokenaccess-controlvulnerabilitiesandreinforcedtheneedtoconsidermultipleusersandpermissions[28].SWaTEvalproposedanevaluationframeworkforstatefulwebapplicationtesting,andProFuzzBenchshowedthevalueofexplicitbenchmarksforstatefulprotocolfuzzingevenoutsidewebauthorization[35],[36].GRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page8BenchmarkingliteraturealsomotivatesAuthStateBench.OWASPBenchmarkandNISTSARDsupportevaluationofvulnerabilitydetectiontools,whileJulietandnewerSARDresourcesprovidecuratedsoftware-assurancetestcases[7],[9]-[11].However,benchmarkcritiqueshavenotedthatbenchmarkstructurecanshapetoolbehaviorandmaynotalwaysrepresentrealsemanticvulnerabilities[38]-[40].AI-assistedvulnerabilitydetectionfurtherincreasestheneedforclearlydefinedevaluationtasksbecauseLLM-basedsystemsmayappeareffectiveoncode-levelbenchmarkswhilestrugglingwithmulti-stepsecurityspecifications,contextualauthorizationrules,andworkflowsemantics[41]-[46].2.3ExistingStandards,Frameworks,andModelsOWASPTop10:2025andOWASPAPISecurityTop10:2023providerisktaxonomiesthatplacebrokenaccesscontrol,object-levelauthorization,brokenauthentication,andfunction-levelauthorizationamongmajorapplication-securityconcerns[1]-[4].OWASPASVS5.0.0providesaverificationstandardforwebapplicationtechnicalcontrolsandisparticularlyrelevantbecauseitincludesrequirementsforauthentication,sessionmanagement,accesscontrol,APIbehavior,errorhandling,logging,andbusinesslogic[5].OWASPWSTGcomplementsASVSbydescribingtestingactivitiesandreportingexpectations[6].NISTSSDFdescribessecuresoftwaredevelopmentpracticesformitigatingsoftwarevulnerabilityrisk,whileCISASecurebyDesignguidanceframessecuredefaults,productaccountability,andreductionofcustomersecurityburdenascoresoftwaremanufacturerresponsibilities[8],[19],[20].MITRECWEprovidesweaknessfamiliesthatcanmapbenchmarkscenariostowell-knowncategoriessuchasimproperaccesscontrol,improperauthentication,missingauthenticationforcriticalfunction,insufficientsessionexpiration,authorizationbypassthroughuser-controlledkey,missingauthorization,andincorrectauthorization[12]-[18].OAuth2.0securitybestcurrentpracticeandOpenIDConnectspecificationshelpgroundauthenticationandtokenlifecyclescenariosinrealidentityprotocols[21]-[23].2.4LimitationsofExistingWorkExistingworkhasfourmainlimitationsforthisarticle'spurpose.First,manybenchmarksemphasizesource-code-levelflawsorinput-drivenvulnerabilities,whichareimportantbutdonotfullycapturestatefulauthorizationsemantics.Second,scanner-comparisonstudiesoftenevaluatewhethertoolsdetectknownclasseswithoutdocumentingtherole,session,object,andworkflowstaterequiredtoreproduceauthorizationfailures.Third,access-controlstudiesvaryintheirthreatmodelsandassumptions,makingcomparisondifficultacrossmanual,automated,andAI-assistedapproaches.Fourth,standardsproviderequirementsandguidancebutdonotalwaystranslatethemintobenchmark-readyscenariotemplates.Theselimitationsdonotreducethevalueofexistingstandardsorbenchmarks.Rather,theyidentifyamissinglayerbetweenstandardsandtoolevaluation:ascenario-designmodelthatGRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page9specifiespreconditions,actors,state,expectedsecurebehavior,insecurebehavior,evidencerequirements,andmappingtostandards.AuthStateBenchisintendedtoprovidethatlayer.2.5SummaryofResearchGapTheliteratureshowsstronginterestinwebapplicationsecurity,access-controlanalysis,scannerevaluation,software-assurancedatasets,andAI-assistedvulnerabilitydetection.Italsoshowsapersistentgap:statefulauthorizationandauthenticationfailuresrequirebenchmarkscenariosthatencoderole,session,objectownership,andworkflowconditions.Withoutsuchencoding,researchersandpractitionersriskcomparingtoolsandmethodsonunclearorincompleteassumptions.AuthStateBenchrespondstothisgapbyproposingastructuredbenchmarkdesignratherthanclaimingempiricalresults.Table1.Literaturesearchstrategyandsourcecategories.SourcecategoryAcademicliteratureSecuritystandardsandguidanceWeaknesstaxonomiesBenchmarkresourcesIdentityandriskspecificationsExamplesIEEEXplore,ACMDigitalLibrary,SpringerLink,ScienceDirect,Wiley,Taylor&Francis,GoogleScholardiscoveryOWASPTop10:2025,OWASPAPISecurityTop10,OWASPASVS5.0.0,OWASPWSTG,NISTSSDF,CISASecurebyDesignMITRECWEfamiliesforaccesscontrol,authentication,authorization,sessionexpiration,anduser-controlledkeysOWASPBenchmark,NISTSARD,Juliet,SARDdocumentation,ProFuzzBench,SWaTEvalOAuth2.0SecurityBCP,OpenIDConnect,CVSS,EPSSPurposeinthereviewIdentifypeer-reviewedstudiesonaccess-controltesting,statefulwebtesting,logicflaws,benchmarks,scanners,andAI-assistedvulnerabilityanalysis.Groundscenariocategoriesinrecognizedapplication-securityandsecure-developmentexpectations.Mapbenchmarkscenariostocommonweaknessidentifiersandimprovetraceability.Compareexistingbenchmarkassumptionswiththeproposedstatefulscenariodesign.Supportauthentication,tokenlifecycle,session,andrisk-evidenceinterpretation.Table2.Inclusionandexclusioncriteria.GRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076CriteriontypeTopicrelevanceMethodrelevanceSourcequalityTimeperiodIntegrityboundaryIncludedWebapplicationsecurity,APIsecurity,authentication,authorization,sessionmanagement,workflowabuse,benchmarkdesign,scannerevaluation,AI-assistedtestingStudiesproposing,evaluating,surveying,orsystematizingtestingmethods,standards,benchmarks,scanners,taxonomies,orframeworksPeer-reviewedpapers,officialstandards,recognizedcybersecurityguidance,andwell-establishedbenchmarkresourcesPrimarily2020-2026,witholderfoundationalworkretainedwhereitshapedaccess-controlorbenchmarkresearchSourcescompatiblewithaliterature-baseddesignarticlewithoutfabricatedresultsPage10ExcludedGenericcybersecuritywithnowebapplicationrelevance;malware-only,blockchain-only,IoT-only,ornetwork-onlystudies.Papersthatmentiontoolswithoutexplainingvulnerabilitymodelingortestdesign.Unverifiableblogs,marketingpages,unsupportedclaims,andsourceswithoutsufficienttechnicalrelevance.Oldermaterialwithoutcontinuingrelevanceorcitationvalue.Studiesrequiringprivatedatasets,unauthorizedtesting,ornon-reproduciblecompany-onlyevidence.Table3.Literaturecomparisononstatefulwebsecuritytesting.ResearchstreamRepresentativesourcesStrengthStaticaccess-controlanalysisSunetal.[29]Caninferaccess-controlassumptionsfromsourcecodeanddetectrole-relatedweaknesses.Black-boxstateorBLOCK[30],ModelsbehaviorGRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27LimitationaddressedbyAuthStateBenchNotsuitablewhensourcecodeisunavailable;benchmarkscenariosstillneedstatefuldocumentation.DifferentstudiesuseG.2076logictestingPellegrinoandBalzarotti[32],Lietal.[34]frominteractionsandcanaddresslogicorstateviolations.ParametertamperingandIDOR/BOLAanalysisNoTamper[33],Rennhardetal.[26],BACScan[28]GeneralvulnerabilitybenchmarksOWASPBenchmark[7],SARDandJuliet[9]-[11]AI-assistedvulnerabilitydetectionXuetal.[41],Faretal.[42],CVE-Bench[44],Cybench[45]Targetsobjectidentifiers,requestparameters,andaccess-controlviolations.Usefulforrepeatabletoolevaluationandknowntestcases.HighlightsgrowingroleofAIinsecuritytestingandexploitationreasoning.Page11differentassumptions;AuthStateBenchstandardizesrole-session-object-workflowdimensions.Objectownershipandvictim/attackerroleconditionsneedexplicitbenchmarkrepresentation.Primarilystrongerforcode-levelorinput-drivenweaknessesthanmulti-userworkflowsemantics.Requiresclearertaskspecificationstoevaluatesemanticauthorizationandauthenticationworkflowbehavior.3.ProposedFramework/Benchmark/Model3.1ConceptualBasisAuthStateBenchisbuiltonthepremisethatauthorizationandauthenticationvulnerabilitiesarenotadequatelyrepresentedbyasinglerequestorpayload.Theymustberepresentedasstatefulsecurity-policyfailures.Thebenchmarkthereforeusesfourstatedimensions:rolestate,sessionstate,object-ownershipstate,andworkflowstate.Rolestatedescribestheidentityandprivilegeleveloftheactor.Sessionstatedescribestokenvalidity,freshness,login/logoutcondition,reauthenticationstatus,andprivilege-transitioneffects.Object-ownershipstatedescribeswhetherthetargetresourceisownedby,sharedwith,hiddenfrom,orunrelatedtotheactor.Workflowstatedescribeswhethertherequestedactionoccursintheexpectedbusinesssequence.Thebenchmarkdesigntreatsavulnerabilityscenarioasacontrolledpolicytest.Eachscenariobeginswithadocumentedprecondition,anattackerrole,anoptionalvictimortargetGRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page12role,aprotectedobject,asessioncondition,aworkflowcondition,anaction,expectedsecurebehavior,observedinsecurebehaviorinavulnerableimplementation,andastandards/CWEmapping.Thisapproachallowsfutureimplementationwithoutrelyingonprivatesystemsorunauthorizedexploitation.Tomakethedesignexplicit,eachbenchmarkscenarioisrepresentedasastatefulpolicy-testtupleratherthanasinglevulnerablerequest:B_s=<R_s,S_s,O_s,W_s,A_s,P_s,E_s>(1)whereR_sisrolestate,S_sissessionstate,O_sisobject-ownershipstate,W_sisworkflowstate,A_sistheattemptedaction,P_sistheexpectedpolicydecision,andE_sistherequiredevidencerecord.Scenariocoveragecanlaterbecomputedas:Coverage=|C_tested∩C_required|/|C_required|(2)Afuturemethod-comparisonstudymayscoreevidencequalityusingaweightedcriterionmodel:Score_m=Σ(k=1..n)w_kx_m,k(3)wherex_m,kdenoteswhethermethodmsatisfiescriterionk,andw_kallowsfutureresearcherstoprioritizescenariorecognition,preconditionhandling,evidencequality,false-positivecontrol,andreproducibility.GRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page13Fig.2.Four-dimensionalstatemodelusedtoconstructAuthStateBenchscenarios.3.2MainComponentsAuthStateBenchcontainsfivecomponents.Thefirstcomponentisthescenariotaxonomy,whichgroupsbenchmarkcasesintorecurringclassessuchasobject-levelauthorizationfailure,function-levelauthorizationfailure,privilegeescalation,sessionlifecyclefailure,workflowbypass,role-confusionfailure,tenant-isolationfailure,andreauthenticationfailure.Thesecondcomponentisthestatematrix,whichcombinesrole,session,object,andworkflowconditions.Thethirdcomponentisthestandards-mappinglayer,whichconnectsscenariostoOWASP,NIST,CISA,MITRE,OAuth,andOpenIDguidance.Thefourthcomponentisthescenariodocumentationtemplate.Thefifthcomponentistheevaluationcriteriaset,whichsupportsfuturecomparisonofmanualtesting,scanner-assistedtesting,AI-assistedtesting,andstandards-basedreview.GRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page14Thesecomponentsaredesignedtobemodular.Aresearchercanusethetaxonomytoclassifyscenarios,thetemplatetodocumentcases,thestandardsmappingtojustifyrelevance,andtheevaluationcriteriatocomparemethods.Apractitionercanusethesamestructurefortraining,secure-codereview,andcontrolledlaboratoryexercises.Fig.3operationalizesthebenchmarkconstructionsequence.Theprocessstartsfromasecuritypolicy,convertsitintoallowedanddeniedstatepairs,recordsevidence,mapsthescenariotostandards,andthenallowsafutureevaluatortocomparetestingmethods.Fig.3.Benchmarkscenarioconstructionandevaluationpipeline.3.3StandardsorLiteratureMappingThestandards-mappinglayerisessentialbecauseitpreventsthebenchmarkfrombecominganarbitrarylistofinventedscenarios.BrokenaccesscontrolmapstoOWASPA01:2025andtoAPI-levelriskssuchasBOLAandBFLA[2]-[4].Authenticationandsession-managementGRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page15scenariosmaptoASVSrequirements,OAuth2.0securityguidance,OpenIDConnect,andCWEcategoriesforimproperauthentication,missingauthentication,insufficientsessionexpiration,andtokenmisuse[5],[13]-[15],[21]-[23].Secure-developmentandvulnerability-managementrelevancemapstoNISTSSDF,CISASecurebyDesign,CVSS,EPSS,andbenchmarkliterature[8],[19],[20],[24],[25],[37]-[40].3.4EvaluationLogicAuthStateBenchdoesnotpresentaccuracy,precision,recall,F1-score,exploitsuccess,scannerresults,orAI-agentperformance.Instead,itdefineshowfuturestudiescanevaluatesuchoutcomesresponsibly.Afutureevaluationcancomparewhetheramethodidentifiesthecorrectscenarioclass,recognizestherequiredpreconditions,distinguishesauthenticationfromauthorization,determinesobjectownership,checksworkfloworder,explainsevidence,andmapsfindingstostandards.Thisdesignavoidsfalseempiricalclaimswhilestillprovidingaconcretefoundationforempiricalwork.3.5JustificationStatefulauthorizationandauthenticationweaknessesrequirescenario-basedbenchmarkdesignbecauseisolatedrequesttestingisinsufficient.Forexample,aGETrequestfor/invoice/124maybesecurefortheownerandinsecureforadifferentuser.APOSTrequestthatapprovesatransactionmaybecorrectafterreviewandinsecurebeforereview.Asessiontokenmaybevalidbeforelogoutandinsecureifacceptedafterward.Thesecasescannotbebenchmarkedbyrequestshapealone;theyrequiredocumentedstate.AuthStateBenchmakesthisstateexplicitandthereforeimprovesreproducibility,comparability,andstandardsalignment.Table4.AuthStateBenchscenariotaxonomy.ScenarioclassCorefailureObject-levelauthorizationfailureFunction-levelauthorizationfailurePrivilegeescalationActoraccessesanobjectthatbelongstoanotheruser,tenant,orrole.Actorreachesafunctionoutsidepermittedroleorpermissionscope.Actorgainselevatedcapabilitybymanipulatingrole,GRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27TypicalstatedimensionsRolestate+objectownership+sessionvalidityRolestate+workflowstateRolestate+sessionstate+workflowstateExamplesecureexpectationTheserverchecksownershiportenantboundaryforeveryobjectaccess.TheserverenforcesfunctionpermissionsindependentofhiddenUIcontrols.Privilegetransitionsrequireserver-sideauthorizationandG.2076Sessionlifecyclefailuretoken,endpoint,ortransition.Expired,logged-out,fixed,orstaletokensremainusable.Sessionstate+rolestateWorkflowbypassActorskipsorreordersrequiredprocesssteps.Workflowstate+rolestate+objectownershipRole-confusionfailureTenant-isolationfailureReauthenticationfailureRolestate+sessionstateObjectownership+rolestateSessionstate+workflowstateApplicationconfusesguest,user,privilegeduser,admin,ordowngradedrole.Actorcrossesorganization,workspace,ortenantboundary.Sensitiveactionproceedswithoutfreshauthenticationorstep-upverification.Page16reauthenticationwhereappropriate.Tokensareinvalidatedandrefreshedaccordingtosecurityrequirements.Businessoperationsrequireallpreconditionsandstatetransitions.Server-sidepolicyresolvesrolecorrectlyafterlogin,logout,downgrade,oraccountchanges.Tenantboundaryisenforcedforeveryresourceandfunction.High-riskoperationsrequirefreshidentityassuranceorequivalentcontrol.Table5.Role-session-object-workflowstatematrix.RolestateDimensionSessionstateRepresentativestatesGuest,registereduser,privilegeduser,admin,downgradeduser,serviceaccountValid,expired,reused,fixed,loggedout,tokenchanged,privilegechanged,reauthenticatedObject-ownershipOwnedobject,unownedobject,stateGRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27SecurityquestionFailureindicatorIstheactorallowedtoperformthisfunction?Isthesessionstateacceptablefortherequestedaction?Functionsucceedsforaroleoutsideintendedpermissionscope.Actionsucceedswithstale,invalid,fixed,orinsufficientlyfreshsessioncontext.DoestheactorhaverightsoverthisObjectdataoractionsucceedsacrossG.2076Page17Workflowstatesharedobject,hiddenobject,tenant-specificobjectNormalsequence,skippedstep,repeatedstep,forcedendpoint,post-approvalstate,rollbackstatespecificobjectinstance?ownershiportenantboundary.Hastheprocessreachedtherequiredbusinessstate?Endpointallowsactionbeforerequiredpreconditionsorafterinvalidtransition.Table6.OWASPTop10/ASVS/NISTSSDF/CWEmappingtable.BenchmarkclassObject-levelauthorizationfailureOWASPmappingOWASPA01:2025;API1:2023BOLAASVS/WSTGmappingAccesscontrolandAPItestingrequirementsFunction-levelauthorizationfailureOWASPA01:2025;API5:2023BFLAAuthenticationworkflowfailureSessionlifecyclefailureOWASPauthentication-relatedrisks;API2:2023BrokenAuthenticationBrokenaccesscontrolandauthentication-adjacentriskWorkflowbypassBusinesslogicabuse;brokenServer-sideauthorizationverification;businesslogictestingAuthenticationandidentityverificationrequirementsSessionmanagementverification;logoutandtimeouttestingBusinesslogicandworkflowGRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27NIST/CISAmappingSSDFverificationandvulnerabilityresponse;SecurebyDesigndefaultprotectionSecuredesignreviewandthreatmodelingCWEmappingCWE-284,CWE-862,CWE-863,CWE-639CWE-862,CWE-863SSDFsecuredesignandverificationCWE-287,CWE-306SecuredefaultsessionbehaviorCWE-613,CWE-287ThreatmodelingandsecureCWE-840,CWE-863,G.2076Page18accesscontrolBrokenaccesscontrol;APIobject-levelaccesscontrolBrokenaccesscontrol;authenticationcontrolweaknesstestingAccesscontrolanddataisolationverificationFreshauthenticationforsensitiveactionsrequirementsSecurearchitectureandproductsafetyCWE-862CWE-284,CWE-862,CWE-863IdentityassuranceandsecuredefaultsCWE-287,CWE-306Table7.Benchmarkscenariotemplate.Tenant-isolationfailureReauthenticationfailureFieldScenarioIDScenarioclassAttackerroleVictim/targetroleObjectownershipconditionSessionconditionWorkflowpreconditionAttackactionExpectedsecurebehaviorInsecurebehaviorStandardsmappingGRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27DescriptionUniqueidentifiersuchasASB-OBJ-001orASB-SES-003.Taxonomycategory,suchasobject-levelauthorizationfailureorsessionlifecyclefailure.Therolefromwhichtheunauthorizedactionisattempted.Theroleoraccountowningthetargetresource,ifapplicable.Owned,unowned,shared,hidden,cross-tenant,orsystem-ownedobject.Valid,expired,loggedout,tokenrefreshed,privilegechanged,stale,fixed,orreauthenticated.Normalsequence,skippedstage,repeatedstage,forcedendpoint,pre-approval,post-approval,orrollback.Abstractactionattemptedinthecontrolledbenchmarkscenario.Policydecisionthatshouldoccurinasecureimplementation.Failureconditionthatmarksthescenariovulnerableinanintentionallyvulnerableimplementation.OWASP,ASVS,WSTG,NIST,CISA,MITRECWE,OAuth/OIDCmappingasapplicable.G.2076Evidencerequirement4.MethodologyPage19Whatfuturetestersmustrecord:requestsequence,sessionstate,rolepair,objectIDrelation,response,andpolicyrationale.4.1ResearchDesignTheresearchdesigncombinedstructuredliteraturereview,standardsmapping,conceptualsynthesis,andbenchmarkdesign.Thestudywasnotconductedasanempiricaltool-evaluationexperiment.Noscannerwasexecuted,novulnerablelaboratorywasdeployed,nolivetargetwastested,andnoprivatedatasetwasanalyzed.Themethodinsteadusedliteratureandstandardstoderiveabenchmarkdesignthatcanlatersupportimplementationandevaluation.Thisdesignisappropriatebecausethecontributionisascenario-constructionmodel.Abenchmark-designarticlemustfirstdefinewhatcountsasascenario,whatsecuritypropertyisbeingtested,whatstatemustberecorded,andhowrelevanceismappedtostandardsbeforeperformanceclaimscanbeevaluated.4.2SearchStrategy/DataSourceStrategyThesearchstrategyusedcombinationsoftermssuchas“brokenaccesscontrolwebapplicationtesting,”“authorizationvulnerabilitybenchmark,”“authenticationworkflowvulnerability,”“statefulwebapplicationsecuritytesting,”“IDORBOLAbenchmark,”“role-basedaccesscontrolwebvulnerability,”“workflowbypasswebsecurity,”“sessionmanagementvulnerabilitytesting,”“OWASPASVSaccesscontrolrequirements,”“webvulnerabilitybenchmarkevaluation,”and“AI-assistedvulnerabilitydetectionbenchmark.”Searchesprioritizedpeer-revieweddatabasesandofficialstandardssources.GoogleScholarwasusedfordiscovery,whilepreferencewasgiventopublisherpages,officialprojectpages,governmentguidance,RFCs,andstandardspageswhereavailable.Thesourcebaseincludedacademicliteratureonaccess-controlanalysis,statefulwebtesting,weblogicflaws,scannerevaluation,benchmarks,andAI-assistedvulnerabilitydetection[26]-[46].ItalsoincludedstandardsandguidancefromOWASP,NIST,MITRE,CISA,FIRST,OAuth,OpenID,andISO/IEC[1]-[25],[47]-[49].4.3InclusionandExclusionCriteriaSourceswereincludedwhentheyfocusedonwebapplicationsecurity,APIsecurity,authentication,authorization,sessionmanagement,workflowabuse,benchmarkdesign,vulnerabilitydetection,scannerevaluation,orsecure-developmentguidance.Foundationaloldersourceswereretainedwhentheyintroducedimportantconceptsormethodsforaccess-controlvulnerabilitydetectionorweblogictesting.SourceswereexcludedwhentheyGRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page20focusedonlyongenericcybersecurity,malware,blockchain,IoT,ornetworkintrusionwithoutwebapplicationrelevance,orwhentheymadeunsupportedclaimsaboutautomationreplacinghumansecuritytesting.4.4ScreeningorSelectionProcessThescreeningprocessfollowedatransparentreviewapproachratherthanafullyquantifiedPRISMAsystematicreview.Becauseexactsearchcounts,duplicatecounts,andexclusioncountswerenotrecordedinaformalreviewregistry,thisarticledoesnotclaimacompletedPRISMAstudy.Instead,sourceswerescreenedbytitle,abstract,technicalrelevance,standardsrelevance,andcontributiontoscenariomodeling.Selectedsourceswerethencodedaccordingtovulnerabilitytype,testingapproach,statedimension,benchmarkrelevance,andstandardsapplicability.4.5CodingandSynthesisMethodThematicsynthesisgroupedtheliteratureintofourstatedimensions:rolestate,sessionstate,object-ownershipstate,andworkflowstate.Rolestatecapturedguest,user,privilegeduser,admin,downgradeduser,andservice-accountcontexts.Sessionstatecapturedvalid,expired,reused,fixed,logged-out,token-changed,andreauthenticatedcontexts.Objectstatecapturedowned,unowned,shared,hidden,tenant-specific,andsystem-ownedobjects.Workflowstatecapturednormalsequence,skippedstep,repeatedstep,forcedendpoint,pre-approval,post-approval,androllbackconditions.Fig.4illustrateshowliterature,standards,andweaknesstaxonomiesweresynthesizedintothebenchmarkoutputs.Thefigurealsomakesclearthatthearticleisadesignstudyratherthanatool-executionexperiment.GRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page21Fig.4.LiteratureandstandardssynthesisprocessusedtoderiveAuthStateBench.Algorithm1.AuthStateBenchscenarioconstructionprocedure.Input:Candidateweaknesspattern,relevantstandardclauses,statedimensions,andexpectedsecuritypolicy.1.Identifytheprotectedactionandtargetobject.2.Definethelegitimaterole,unauthorizedrole,sessioncondition,andworkflowprecondition.3.Specifytheexpectedsecuredecisionandvulnerablebehaviortoberepresentedinacontrolledimplementation.GRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page224.MapthescenariotoOWASP,ASVS/WSTG,NIST/CISA,MITRECWE,andidentity-protocolguidancewhereapplicable.5.Recordevidencerequirements:actorrole,objectrelation,sessionstate,requestsequence,response,andpolicyrationale.Output:Abenchmark-readyscenariorecordthatcanlaterbeimplementedandevaluatedinacontrolledtestbed.Aftercoding,recurringvulnerabilitypatternswereconvertedintobenchmarkscenarioclasses.Eachscenarioclasswascheckedagainstrelevantstandardsandweaknesstaxonomiestoverifythatitcorrespondedtorecognizedsecurityconcernsratherthanarbitraryexamples.4.6ComparisonCriteriaExistingapproacheswerecomparedusingstandardsalignment,explicitstatemodeling,reproducibility,evaluationreadiness,evidencerequirements,abilitytosupportmanualtesting,abilitytosupportscanner-assistedtesting,abilitytosupportAI-assistedtesting,andsuitabilityforsecure-developmenteducation.Thesecriteriawereselectedbecauseabenchmarkdesignmustbeusefulacrossresearchandpractice,notonlywithinasingletoolcategory.4.7ValidityandReliabilityValiditywassupportedthroughtriangulationacrosspeer-reviewedliterature,officialstandards,weaknesstaxonomies,andbenchmarkresources.Reliabilitywassupportedbyusingexplicitscenariofieldsandstatedimensionsratherthannarrative-onlydescriptions.Themainvaliditylimitationisthatthebenchmarkhasnotyetbeenimplementedasrunnablevulnerableapplicationsorevaluatedbyindependentexperts.Arecommendednextstepisexpertreviewbyapplication-securityresearchers,professionalpenetrationtesters,andsecuresoftwareengineers.4.8EthicalConsiderationsThestudydoesnotinvolvehumansubjects,realuserdata,live-systemtesting,unauthorizedaccess,exploitdeployment,screenshots,toolexecution,orprivatevulnerabilityfindings.Scenariosaredescribedabstractlyandareintendedforcontrollededucationalorresearchenvironments.Anyfutureimplementationshoulduseintentionallyvulnerableapplications,localtestbeds,explicitpermission,andresponsibledisclosureprincipleswhereapplicable.Table8.Evaluationcriteriaformanual,scanner-assisted,andAI-assistedtesting.CriterionManualtestingScanner-ScenariorecognitionTesteridentifiesrole,session,object,andworkflowassistedtestingToolmustdiscoverorbeconfiguredwithrelevantstate.AI-assistedtestingModelmustinferorbeprovidedwithscenariostate.Standards-basedreviewReviewercheckswhetherrequirementcoverageGRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Preconditionhandlingconditions.Strongwhentesterscontrolaccountsandworkflows.EvidencequalityRequestsequence,accountroles,objectrelation,andresponseevidence.Humanjudgmentcanvalidatebusinesscontext.ReproducibilityRequiresFalse-positivecontroldocumentedstepsandaccounts.Oftenlimitedwithoutauthenticatedcrawlingandmulti-usersupport.Automatedtracesplusmanualconfirmation.Mayflagrequestdifferenceswithoutunderstandingpolicy.Requiresstablecrawlerstateandlogin/sessionhandling.BestuseDeepsemantictestingandbusiness-logicreasoning.Broadcoverageandrepeatablebaselinescanning.Variable;dependsonprompts,contextwindows,andtoolintegration.Explanationmustciteobservedevidence,notonlyplausiblereasoning.Mayhallucinatepolicyunlessconstrainedbyevidence.Requiresfixedprompts,logs,andscenariocontext.Assistedreasoning,testplanning,andevidencesummarization.Page23matchesscenario.Strongforpolicycompletenessbutnotaruntimeproof.Traceablechecklistandrequirementmapping.Canmissruntimebehaviorifreviewisdocument-only.Requiresversionedstandardsandmappingrationale.Requirementstraceabilityandsecure-developmentgovernance.5.ResultsandAnalyticalOutputs5.1ThematicFindingsThesynthesisproducedfourthematicfindings.First,access-controlfailuresaresemanticvulnerabilities:whetherarequestissecuredependsonwhosendsit,whatobjectistargeted,whatsessionstateexists,andwhatworkflowstateapplies.Second,automatedscannerscanprovidevaluablecoveragebutmaystrugglewithmulti-userauthorization,objectownership,andbusinessprocesssemanticsunlessstateandcredentialsareexplicitlymodeled.Third,standardsprovidestrongcontrolexpectations,butadditionalbenchmarkdocumentationisGRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page24neededtoturnthoseexpectationsintoreproducibletestcases.Fourth,AI-assistedtestingcansupportsecurityreasoning,butitrequiresstructuredtaskdefinitionsandevidenceconstraintstoavoidplausiblebutunsupportedconclusions.5.2GapMappingThegapmappingshowsthatexistingresourcessupportpartsoftheproblembutnotthecompletestatefulbenchmarkrequirement.OWASPandNISTstandardsdefinewhatsecurebehaviorshouldlooklike.MITRECWEdefinesweaknessfamilies.OWASPBenchmarkandSARDprovidetool-evaluationresources.Access-controlresearchproposesdetectionapproaches.AI-securityresearchhighlightsemergingautomatedreasoningcapabilities.AuthStateBenchintegratesthesestrandsbyrepresentingeachbenchmarkscenarioasastatefulpolicytestwithtraceablestandardsmapping.5.3FrameworkorBenchmarkOutputsTheprimarybenchmarkoutputsarethescenariotaxonomy,thestatematrix,thestandardsmapping,andthescenariotemplatepresentedinTables4-7.Theseoutputsallowafuturebenchmarkimplementationtoincluderepresentativescenariofamiliesratherthanisolatedexamples.Forinstance,anobject-levelauthorizationscenariocanbeinstantiatedwithdifferentcombinationsofroles,tenants,sessionstates,andobject-sharingrules.Aworkflowbypassscenariocanbeinstantiatedwithskippedapproval,repeatedconfirmation,forcedendpointaccess,orpost-rollbackactions.Thismodulardesignsupportsexpansionwhilepreservingconsistentdocumentation.5.4StandardsAlignmentAuthStateBenchalignswithstandardsatthreelevels.Attherisk-taxonomylevel,itmapstoOWASPTop10:2025andOWASPAPISecurityTop10:2023[1]-[4].Attheverificationlevel,itmapstoOWASPASVS5.0.0andWSTGtestingconcerns[5],[6].Atthesecure-developmentandweakness-classificationlevel,itmapstoNISTSSDF,CISASecurebyDesignguidance,andMITRECWEcategories[8],[12]-[20].Identity-protocolreferencessuchasOAuth2.0SecurityBCPandOpenIDConnectsupporttoken,authentication,andsessionlifecyclescenarios[21]-[23].reviews,AuthStateBenchadds5.5ComparisonwithExistingApproachesscenario-levelComparedwithgenericOWASPreproducibility.Comparedwithscannerevaluations,itdocumentsstateconditionsthattoolsmusthandleorbegiven.Comparedwithcode-levelvulnerabilitydatasets,itemphasizespolicysemanticsandmulti-stepworkflows.ComparedwithAI-securitybenchmarks,itprovidesdomain-specificscenariotemplatesforauthorizationandauthenticationworkflowreasoning.Itthereforedoesnotreplaceexistingbenchmarksorstandards;itcomplementsthembyfillingastatefulscenario-designgap.Table9.Researchgapmatrix.GRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076ExistingresourceOWASPTop10/APITop10WhatitprovidesGapforstatefulRiskcategoriesforwebandAPIsecurity.authorization/authenticationRiskcategorydoesnotbyitselfspecifyrole,session,object,andworkflowpreconditions.Requirementsneedbenchmark-readyscenariofieldsforcomparisonstudies.Guidanceisbroadandnotavulnerabilitytest-casebenchmark.CWEIDsalonedonotdefinemulti-userworkflowconditions.Lessfocusedonmulti-stepauthorizationandauthenticationworkflowsemantics.Maynotisolateauthorizationworkflowreasoningfromexploitexecution.Page25AuthStateBenchresponseConvertsriskcategoriesintoscenarioclasses.Mapsscenariostorequirementsandevidenceexpectations.Linksbenchmarkscenariostosecure-developmentandvalidationactivities.UsesCWEastraceability,notastheentirescenariodefinition.Addsstatefulscenariodesignforauth/access-controlcases.DefinesstructuredtasksforfutureAI-assistedtestingcomparison.OWASPASVS/WSTGVerificationandtestingguidance.NISTSSDF/CISASecurebyDesignMITRECWESecure-developmentgovernanceandproduct-securityprinciples.Weaknessfamilytaxonomy.OWASPBenchmark/SARD/JulietRepeatabletestcasesfortoolevaluation.AIvulnerabilitybenchmarksEvaluateAIoragenticsecuritycapabilities.Table10.Futurevalidationandresearchroadmap.StagePurposeStage1:standardsalignmentreviewCheckwhethermappingsareaccurateandcomplete.Stage2:expertAssesspracticalGRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27RecommendedactivityCompareeachscenarioclasswithOWASP,ASVS,WSTG,NIST,CISA,MITRE,OAuth,andOpenIDsources.Invite3-5ExpectedoutputValidatedmappingtableandrevisedscenariodefinitions.ExpertfeedbackG.2076Page26matrixandupdatedtaxonomy.Runnablebenchmarkprototypeandground-truthlabels.Comparativeevaluationresultswithtransparentlimitations.Versionedpublicbenchmarkartifact.reviewrealismandclarity.Turnabstractscenariosintolocalvulnerableapplications.Evaluatemanual,scanner-assisted,AI-assisted,andstandards-basedapproaches.Enablereuseandreplication.Stage3:controlledimplementationStage4:methodcomparisonStage5:publicrelease6.Discussionapplication-securityacademics,penetrationtesters,orsecuresoftwareengineers.Implementrepresentativescenariosinatestbedwithdocumentedaccountsandworkflows.Runcontrolledtestswithoutlivetargetsandrecordevidencequality.Publishdocumentation,templates,scenariodefinitions,andimplementationnotes.6.1KeyInsightsThefirstkeyinsightisthatstatefulauthorizationandauthenticationtestingmustbeframedaspolicy-stateverificationratherthanpayloaddetection.Apayload-centeredviewisusefulforinjectionandmanyinput-drivenflaws,butitisinsufficientforunderstandingwhetheranauthenticatedusershouldaccessaresource,whetheratenantboundaryshouldapply,orwhetheraworkflowstateauthorizesanoperation.Thesecondinsightisthatstandardsmappingimprovesbenchmarklegitimacy,butstandardsalonedonotcreatebenchmarkreproducibility.Thethirdinsightisthatmanual,scanner-assisted,andAI-assistedapproachesshouldnotbetreatedasinterchangeable.Eachhasdifferentstrengthsandevidencerequirements.6.2CybersecurityImplicationsAuthStateBenchhasimplicationsforapplication-securityresearchandcyberdefense.Forresearchers,itprovidesawaytodefinecomparabletasksforaccess-controlandauthenticationworkflowtesting.Fortoolbuilders,itclarifieswhatstateinformationascannerorAI-assistedsystemmusthandle.Fordefenders,itencouragesevidence-basedGRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page27assessmentofwhetherauthorizationandsessioncontrolsenforceserver-sidepolicyacrossrealisticbusinessstates.Foreducators,itoffersastructuredwaytoteachjuniorpenetrationtesterswhyauthentication,authorization,sessionmanagement,andworkflowlogicmustbetestedtogether.6.3PracticalandPolicyImplicationsInpractice,thebenchmarkdesigncansupportsecuredevelopmentlifecycleactivities.Requirementsengineerscanusethestatematrixtodocumentauthorizationrules.Developerscanusescenariotemplatestowritetestsforobjectownershipandworkflowpreconditions.Penetrationtesterscanusethetaxonomytostructuremanualtestingevidence.Securitymanagerscanmapfindingstostandardsforreportingandremediationprioritization.Policyteamscanusethestructuretoconnectsecure-by-designexpectationswithconcreteverificationevidence.6.4LimitationsThearticlehasclearlimitations.AuthStateBenchisadesignartifact,notacompletedempiricalbenchmarkimplementation.Notoolresultsarereported,andnoclaimismadeaboutdetectionaccuracy.Thetaxonomymayrequirerefinementafterexpertreviewandcontrolledimplementation.Somestandardsreferencesmayevolve,somappingsshouldbeversioned.ThecurrentdesignfocusesonwebapplicationsandAPIsandmaynotdirectlyapplytomobile,IoT,blockchain,orlow-levelprotocolsystemswithoutadaptation.6.5FutureResearchRoadmapFutureworkshouldproceedinfivesteps.First,anindependentstandards-alignmentreviewshouldverifyscenariomappings.Second,expertreviewshouldassesspracticalrealismandcoverage.Third,selectedscenariosshouldbeimplementedincontrolledvulnerablewebapplicationswithversioneddocumentation.Fourth,manual,scanner-assisted,AI-assisted,andstandards-basedmethodsshouldbecomparedusingexplicitevidencecriteria.Fifth,thebenchmarkshouldbereleasedasapublicartifactwithscenariodefinitions,implementationnotes,ground-truthlabels,andclearethical-useguidance.Fig.5convertsthefuture-workdiscussionintoavalidationroadmap.ThisseparationbetweendesignandempiricalvalidationisimportantbecausethecurrentarticledoesnotclaimscanneraccuracyorAI-agentperformance.GRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page28Fig.5.FuturevalidationroadmapforturningAuthStateBenchintoanempiricalbenchmark.7.ConclusionStatefulauthorizationandauthenticationworkflowweaknessesremaindifficulttobenchmarkbecausetheirsecuritydependsonrole,session,objectownership,andworkflowconditions.Existingstandardsandbenchmarksprovidevaluablefoundations,buttheydonotfullysolvetheproblemofscenario-levelreproducibilityforsemanticaccess-controlandauthenticationfailures.AuthStateBenchaddressesthisgapbyproposingastandards-alignedbenchmarkdesignthatincludesafour-dimensionalstatemodel,scenariotaxonomy,standardsmapping,scenariotemplate,evaluationcriteria,andvalidationroadmap.Thearticledeliberatelyavoidsunsupportedempiricalclaims.Itdoesnotreportscannerresults,AI-agentperformance,exploitsuccess,orreal-systemtesting.ItscontributionisaGRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page29designframeworkthatfutureresearchersandpractitionerscanimplementandevaluatetransparently.Bymakingstatefulconditionsexplicit,AuthStateBenchcanimprovecomparabilityinwebsecuritytesting,supportsecure-developmenteducation,andprovideafoundationformorerigorousevaluationofmanual,scanner-assisted,AI-assisted,andstandards-basedapproachestoauthorizationandauthenticationworkflowsecurity.DeclarationsFundingNofundingwasreceivedforthiswork.CompetingInterestsTheauthordeclaresnocompetinginterests.EthicsApprovalNotapplicable.Thisarticleisaliterature-basedandstandards-alignedbenchmark-designstudyanddoesnotinvolvehumanparticipants,personaldata,live-systemtesting,oranimalsubjects.ConsentforPublicationNotapplicable.DataAvailabilityNoempiricaldatasetwasgeneratedoranalyzed.Thearticleisbasedonpubliclyavailableliterature,standards,andguidancesourcescitedinthereferencelist.Futurebenchmarkscenariosshouldbereleasedasversioneddocumentationifimplemented.AuthorContributionsMuhammadShahzadKhadimconceptualizedthestudy,designedthemethodology,developedthebenchmarkmodel,andwrotethemanuscript.SyedMufassirShahcontributedtoliteraturereview,dataorganization,andmanuscriptediting.ZubairKhanassistedinvalidationdesign,formatting,andfinalproofreading.AcknowledgementsTheauthoracknowledgesthepublicworkofOWASP,NIST,MITRE,CISA,FIRST,IETF,OpenIDFoundation,andtheacademicsecurityresearchcommunitywhosestandardsandstudiesinformedthisconceptualbenchmarkdesign.DeclarationofgenerativeAIandAI-assistedtechnologiesinthemanuscriptpreparationprocessDuringthepreparationofthiswork,theauthorusedChatGPTbyOpenAItoassistwithimprovement,clarityenhancement,andmanuscriptlanguagerefinement,formattingGRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page30organization.Afterusingthistool,theauthorreviewedandeditedthecontentasneededandtakesfullresponsibilityforthecontentofthesubmittedmanuscript.References[1]OWASPFoundation.OWASPTopTenWebApplicationSecurityRisks2025.OWASP,2025.Accessed27April2026.[2]OWASPFoundation.A01:2025-BrokenAccessControl.OWASPTop10:2025.Accessed27April2026.[3]OWASPFoundation.OWASPAPISecurityTop102023.OWASP,2023.Accessed27April2026.[4]OWASPFoundation.API1:2023-BrokenObjectLevelAuthorization.OWASPAPISecurityTop102023.Accessed27April2026.[5]OWASPFoundation.OWASPApplicationSecurityVerificationStandard5.0.0.OWASP,2025.Accessed27April2026.[6]OWASPFoundation.OWASPWebSecurityTestingGuide,latestrelease.OWASP.Accessed27April2026.[7]OWASPFoundation.OWASPBenchmarkProject.OWASP.Accessed27April2026.[8]M.Souppaya,K.Scarfone,andD.Dodson.SecureSoftwareDevelopmentFramework(SSDF)Version1.1:RecommendationsforMitigatingtheRiskofSoftwareVulnerabilities.NISTSP800-218,2022.[9]NISTSAMATE.SoftwareAssuranceReferenceDataset(SARD).NationalInstituteofStandardsandTechnology.Accessed27April2026.[10]P.E.Black.TheSoftwareAssuranceReferenceDataset.NISTInternalReport8561,2025.[11]F.E.BolandJr.andP.E.Black.TheJuliet1.1C/C++andJavaTestSuite.NationalInstituteofStandardsandTechnology,2012.[12]MITRE.CWE-284:ImproperAccessControl.CommonWeaknessEnumeration.Accessed27April2026.[13]MITRE.CWE-287:ImproperAuthentication.CommonWeaknessEnumeration.Accessed27April2026.[14]MITRE.CWE-306:MissingAuthenticationforCriticalFunction.CommonWeaknessEnumeration.Accessed27April2026.[15]MITRE.CWE-613:InsufficientSessionExpiration.CommonWeaknessEnumeration.Accessed27April2026.[16]MITRE.CWE-639:AuthorizationBypassThroughUser-ControlledKey.CommonWeaknessEnumeration.Accessed27April2026.GRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page31[17]MITRE.CWE-862:MissingAuthorization.CommonWeaknessEnumeration.Accessed27April2026.[18]MITRE.CWE-863:IncorrectAuthorization.CommonWeaknessEnumeration.Accessed27April2026.[19]CISA.SecurebyDesign.CybersecurityandInfrastructureSecurityAgency.Accessed27April2026.[20]CISAandinternationalpartners.ShiftingtheBalanceofCybersecurityRisk:PrinciplesandApproachesforSecurebyDesignSoftware,2023.[21]T.Lodderstedt,J.Bradley,A.Labunets,andD.Fett.BestCurrentPracticeforOAuth2.0Security.RFC9700,BCP240,RFCEditor,2025.doi:10.17487/RFC9700.[22]N.Sakimura,J.Bradley,M.Jones,B.deMedeiros,andC.Mortimore.OpenIDConnectCore1.0incorporatingerrataset2.OpenIDFoundation.Accessed27April2026.[23]OpenIDFoundation.OpenIDConnectSessionManagement1.0.Finalspecification,2022.[24]FIRST.CommonVulnerabilityScoringSystemVersion4.0:SpecificationDocument.ForumofIncidentResponseandSecurityTeams.Accessed27April2026.[25]FIRST.ExploitPredictionScoringSystem(EPSS).ForumofIncidentResponseandSecurityTeams.Accessed27April2026.[26]M.Rennhard,etal.AutomatingtheDetectionofAccessControlVulnerabilitiesinWebApplications.SNComputerScience,2022.[27]L.Zhong,etal.ASurveyofPreventandDetectAccessControlVulnerabilitiesinWebApplications.arXivpreprintarXiv:2304.10600,2023.[28]F.Liu,etal.BACScan:AutomaticBlack-BoxDetectionofBrokenAccess-ControlVulnerabilities.ACMCCS,2025.[29]F.Sun,L.Xu,andZ.Su.StaticDetectionofAccessControlVulnerabilitiesinWebApplications.USENIXSecuritySymposium,2011.[30]X.LiandY.Xue.BLOCK:ABlack-boxApproachforDetectionofStateViolationAttacksTowardsWebApplications.ACSAC,2011.[31]V.Felmetsger,L.Cavedon,C.Kruegel,andG.Vigna.TowardAutomatedDetectionofLogicVulnerabilitiesinWebApplications.USENIXSecuritySymposium,2010.[32]G.PellegrinoandD.Balzarotti.TowardBlack-BoxDetectionofLogicFlawsinWebApplications.NetworkandDistributedSystemSecuritySymposium,2014.GRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page32[33]P.P.S.Bisht,T.Hinrichs,N.Skrupsky,R.Bobrowicz,andV.N.Venkatakrishnan.NoTamper:AutomaticBlackboxDetectionofParameterTamperingOpportunitiesinWebApplications.ACMCCS,2010.[34]X.Li,Y.Xue,andM.Chu.AutomatedBlack-BoxDetectionofAccessControlVulnerabilitiesinWebApplications.SACMAT,2014.[35]A.Borcherding,etal.SWaTEval:AnEvaluationFrameworkforStatefulWebApplicationTesting.InformationSystemsandTechnologies,2023.InternationalConferenceonWeb[36]R.Natella,etal.ProFuzzBench:ABenchmarkforStatefulProtocolFuzzing.ACMISSTA,2021.[37]E.Fong,V.Okun,andR.Gaucher.WebApplicationScanners:DefinitionsandFunctions.NISTSAMATE,2007.[38]P.Nunes,J.Fonseca,andM.Vieira.BenchmarkingStaticAnalysisToolsforWebSecurity.IEEETransactionsonReliability,2018.[39]M.Miltenberger,etal.BenchmarkingtheBenchmarks.ACM,2023.[40]N.Risse,etal.OnBenchmarkinginMachineLearningforVulnerabilityDetection.ISSTA,2025.[41]H.Xu,S.Wang,N.Li,K.Wang,Y.Zhao,K.Chen,T.Yu,Y.Liu,andH.Wang.LargeLanguageModelsforCyberSecurity:ASystematicLiteratureReview.arXiv:2405.04760,2024.[42]S.M.TaghaviFar,etal.LargeLanguageModelsforSoftwareVulnerabilityDetection.InternationalJournalofInformationSecurity,2025.[43]Y.Chen,etal.ASurveyofLargeLanguageModelsforCyberThreatDetection.Computers&Security,2024.[44]Y.Zhu,A.Kellermann,D.Bowman,P.Li,A.Gupta,A.Danda,R.Fang,C.Jensen,E.Ihli,J.Benn,etal.CVE-Bench:ABenchmarkforAIAgents'AbilitytoExploitReal-WorldWebApplicationVulnerabilities.ICML,2025.[45]R.Fang,etal.Cybench:AFrameworkforEvaluatingCybersecurityCapabilitiesandRisksofLanguageModels.arXiv:2408.08926,2024.[46]M.MalkawiandR.Alhajj.AI-PoweredVulnerabilityDetectionandPatchManagementinCybersecurity:ASystematicReviewofTechniques,Challenges,andEmergingTrends.MachineLearningandKnowledgeExtraction,vol.8,no.1,Article19,2026.doi:10.3390/make8010019.[47]ISO/IEC.ISO/IEC27034-1:2011,Informationtechnology-Securitytechniques-Applicationsecurity-Part1:Overviewandconcepts.InternationalOrganizationforStandardization,2011.GRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27G.2076Page33[48]ISO/IEC/IEEE.ISO/IEC/IEEE29119-1:2022,Softwareandsystemsengineering-Softwaretesting-Part1:Generalconcepts.InternationalOrganizationforStandardization,2022.[49]NIST.DigitalIdentityGuidelines:AuthenticationandLifecycleManagement,SP800-63B.NationalInstituteofStandardsandTechnology,latestavailablerevisionaccessed27April2026.GRJNST,Volume:04-Issue2(2026)/ISSNP:2790-7643ArticleID:2076https://doi.org/10.53762/grjnst.04.02.27