Skip to content
/ login-security-landscape Public

Code for our 2024 IEEE S&P Paper "To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape"

www.computer.org/csdl/proceedings-article/sp/2024/313000a094/1ub232srvao

License

MIT license
8 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cispa/login-security-landscape

BranchesTags

Repository files navigation

To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape

This repository contains the code of our paper "To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape" IEEE S&P 2024.

Our code is organized into three distinct modules that can all run independently or together. For a high-level description of the modules please see below. Detailed instructions for each module can be found in the respective folders.

Setup

Run git clone https://github.com/cispa/login-security-landscape --recurse-submodules, then follow the instructions in the respective subproject folders.

AccountFramework

The AccountFramework helps conducting experiments with logged-in sessions. It organizes the full process of finding registration options on websites, registering accounts for various identities, logging in and verifying that the login works, and the distribution of valid sessions to experiments.

Features:

  • Automatic registration and login form finding
  • Passwordmanager-supported registration task routines (requires manual input)
  • Automatic login handling (with manual fallback option)
  • Automatic login validation (with manual fallback option)
  • Session and Account Management APIs for experiments

PythonCrawler

The PythonCrawler is a modular crawling framework based on Playwright and implemented in Python. The provided modules HeadersExperiment and InclusionIssues correspond to experiments 5.2 Security Headers and 5.3 JavaScript Inclusions in the paper.

TypeScriptCrawler

The TypeScriptCrawler is a modular crawling framework based on Playwright and implemented in TypeScript. The provided modules cxss and pmsecurity correspond to experiments 5.1 Client-Side XSS and 5.4 PostMessages in the paper.

Contact

If there are questions about our tools or paper, please either file an issue or contact jannis.rautenstrauch (AT) cispa.de.

Research Paper

The paper is available at the IEEE Computer Society Digital Library. You can cite our work with the following BibTeX entry:

@inproceedings{rautenstrauch2024auth,
 author = {Rautenstrauch, Jannis and Mitkov, Metodi and Helbrecht, Thomas and Hetterich, Lorenz and Stock, Ben},
 booktitle = {IEEE Symposium on Security and Privacy},
 title = {{To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape}},
 year = {2024},
 doi = {10.1109/SP54263.2024.00094},
}

About

Code for our 2024 IEEE S&P Paper "To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape"

www.computer.org/csdl/proceedings-article/sp/2024/313000a094/1Ub232sRVao

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

8 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages