This paper investigates the use of a Decision Tree classifier for detecting Broken Access Control (BAC) attacks — the #1 vulnerability in the OWASP Top 10 since 2021. Using the BAC-ML-1M dataset (1,000,000 labelled HTTP request records from Mendeley Data), the study performs a rigorous data leakage analysis, removes three post-response derived features, and trains a Gini-criterion Decision Tree on 9 deployment-valid request-level features. The model achieves 95.47% accuracy, F1-score of 95.48%, and AUC of 0.9872, validated via 5-fold stratified cross-validation (mean 95.47% ± 0.04%). Feature importance analysis identifies resource classification, auth token validity, and login status as the top predictors. This work was submitted as part of the internal assessment for MCA (Cybersecurity), Chanakya University, Bangalore, Academic Year 2025–26.
Hithaishi S P (Mon,) studied this question.