Shepherd: A Generic Approach to Automating Website Login

H.L. Jonker, Stefan Karsch, Benjamin Krumnow, Marc Sleegers

Research output: Chapter in Book/Report/Conference proceedingConference Article in proceedingAcademicpeer-review


To gauge adoption of web security measures, largescale testing of website security is needed. However, the diversity of modern websites makes a structured approach to testing a daunting task. This is especially a problem with respect to logging in: there are many subtle deviations in the flow of the login process between websites. Current efforts investigating login security typically are semi-automated, requiring manual intervention which does not scale well. Hence, comprehensive studies of post-login areas have not been possible yet.
In this paper, we introduce Shepherd, a generic framework for logging in on websites. Given credentials, it provides a fully automated attempt at logging in. We discuss various design challenges related to automatically identifying login areas, validating correct logins, and detecting incorrect credentials. The tool collects data on successes and failures for each of these. We evaluate Shepherd’s capabilities to login on thousands of sites, using unreliable, legitimately crowd-sourced credentials for a random selection from the Alexa Top websites list. Notwithstanding parked domains, invalid credentials, etc., Shepherd was able to
automatically log in on 7,113 sites from this set, an order of magnitude beyond previous efforts at automating login.
Original languageEnglish
Title of host publicationProceedings MADWeb 2020
Subtitle of host publicationWorkshop on Measurements, Attacks, and Defenses for the Web, February 23, 2020, San Diego, California
Place of PublicationReston
PublisherInternet Society
Number of pages10
ISBN (Electronic)1891562630
Publication statusPublished - 2020
EventThe Network and Distributed System Security Symposium 2020 - Catamaran Resort Hotel & Spa, San Diego, United States
Duration: 23 Feb 202026 Feb 2020


SymposiumThe Network and Distributed System Security Symposium 2020
Abbreviated titleNDSS 2020
Country/TerritoryUnited States
CitySan Diego


Dive into the research topics of 'Shepherd: A Generic Approach to Automating Website Login'. Together they form a unique fingerprint.

Cite this