Abstract
To gauge adoption of web security measures, largescale testing of website security is needed. However, the diversity of modern websites makes a structured approach to testing a daunting task. This is especially a problem with respect to logging in: there are many subtle deviations in the flow of the login process between websites. Current efforts investigating login security typically are semi-automated, requiring manual intervention which does not scale well. Hence, comprehensive studies of post-login areas have not been possible yet.
In this paper, we introduce Shepherd, a generic framework for logging in on websites. Given credentials, it provides a fully automated attempt at logging in. We discuss various design challenges related to automatically identifying login areas, validating correct logins, and detecting incorrect credentials. The tool collects data on successes and failures for each of these. We evaluate Shepherd’s capabilities to login on thousands of sites, using unreliable, legitimately crowd-sourced credentials for a random selection from the Alexa Top websites list. Notwithstanding parked domains, invalid credentials, etc., Shepherd was able to
automatically log in on 7,113 sites from this set, an order of magnitude beyond previous efforts at automating login.
In this paper, we introduce Shepherd, a generic framework for logging in on websites. Given credentials, it provides a fully automated attempt at logging in. We discuss various design challenges related to automatically identifying login areas, validating correct logins, and detecting incorrect credentials. The tool collects data on successes and failures for each of these. We evaluate Shepherd’s capabilities to login on thousands of sites, using unreliable, legitimately crowd-sourced credentials for a random selection from the Alexa Top websites list. Notwithstanding parked domains, invalid credentials, etc., Shepherd was able to
automatically log in on 7,113 sites from this set, an order of magnitude beyond previous efforts at automating login.
Original language | English |
---|---|
Title of host publication | Proceedings MADWeb 2020 |
Subtitle of host publication | Workshop on Measurements, Attacks, and Defenses for the Web, February 23, 2020, San Diego, California |
Place of Publication | Reston |
Publisher | Internet Society |
Number of pages | 10 |
ISBN (Electronic) | 1891562630 |
DOIs | |
Publication status | Published - 2020 |
Event | The Network and Distributed System Security Symposium 2020 - Catamaran Resort Hotel & Spa, San Diego, United States Duration: 23 Feb 2020 → 26 Feb 2020 |
Symposium
Symposium | The Network and Distributed System Security Symposium 2020 |
---|---|
Abbreviated title | NDSS 2020 |
Country/Territory | United States |
City | San Diego |
Period | 23/02/20 → 26/02/20 |