AuthStateBench: A Standards-Aligned Benchmark for Stateful Authorization and Authentication Workflows

Abstract

Authentication and authorization weaknesses in modern web applications rarely arise as isolated request-level defects. They often depend on role changes, session lifecycle conditions, object ownership boundaries, API authorization rules, and business workflow ordering. Existing vulnerability benchmarks and scanner evaluations remain valuable, but they often represent weaknesses as code-level or input-output defects and therefore underrepresent semantic failures such as IDOR/BOLA, function-level authorization bypass, stale-session reuse, tenant-boundary violation, privilege transition errors, and workflow bypass. This article introduces AuthStateBench, a standards-aligned benchmark design for modeling stateful authorization and authentication workflow vulnerabilities in web applications and APIs. The study uses a structured literature-based and standards-mapping methodology that draws on access-control testing research, stateful web testing, web logic flaw analysis, scanner-evaluation studies, vulnerability benchmark literature, AI-assisted vulnerability-analysis work, and major security guidance including OWASP Top 10, OWASP API Security Top 10, OWASP ASVS, OWASP WSTG, NIST SSDF, MITRE CWE, CISA Secure by Design, OAuth 2.0 security guidance, OpenID Connect, and software-assurance benchmark resources. AuthStateBench contributes a four-dimensional state model built around role state, session state, object-ownership state, and workflow state; a scenario taxonomy; a benchmark scenario template; standards-mapping logic; formal scenario and coverage equations; and comparison criteria for manual, scanner-assisted, AI-assisted, and standards-based assessment. The article does not claim empirical detection accuracy, tool execution, live-system testing, or dataset results. Instead, it provides a reproducible design artifact and validation roadmap for future controlled implementation and comparative evaluation.