Loading…
Shepherd: Enabling Automatic and Large-Scale Login Security Studies
More and more parts of the internet are hidden behind a login field. This poses a barrier to any study predicated on scanning the internet. Moreover, the authentication process itself may be a weak point. To study authentication weaknesses at scale, automated login capabilities are needed. In this w...
Saved in:
| Published in: | arXiv.org 2018-08 |
|---|---|
| Main Authors: | , , , , |
| Format: | Article |
| Language: | English |
| Subjects: | |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| cited_by | |
|---|---|
| cites | |
| container_end_page | |
| container_issue | |
| container_start_page | |
| container_title | arXiv.org |
| container_volume | |
| creator | Jonker, Hugo Kalkman, Jelmer Krumnow, Benjamin Sleegers, Marc Verresen, Alan |
| description | More and more parts of the internet are hidden behind a login field. This poses a barrier to any study predicated on scanning the internet. Moreover, the authentication process itself may be a weak point. To study authentication weaknesses at scale, automated login capabilities are needed. In this work we introduce Shepherd, a scanning framework to automatically log in on websites. The Shepherd framework enables us to perform large-scale scans of post-login aspects of websites. Shepherd scans a website for login fields, attempts to submit credentials and evaluates whether login was successful. We illustrate Shepherd's capabilities by means of a scan for session hijacking susceptibility. In this study, we use a set of unverified website credentials, some of which will be invalid. Using this set, Shepherd is able to fully automatically log in and verify that it is indeed logged in on 6,273 unknown sites, or 12.4% of the test set. We found that from our (biased) test set, 2,579 sites, i.e., 41.4%, are vulnerable to simple session hijacking attacks. |
| format | article |
| fullrecord | <record><control><sourceid>proquest</sourceid><recordid>TN_cdi_proquest_journals_2093774829</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2093774829</sourcerecordid><originalsourceid>FETCH-proquest_journals_20937748293</originalsourceid><addsrcrecordid>eNqNyr0OgjAUQOHGxESivMNNnElqCwJuhmAc2OpOKlyhBFvsz-Db6-ADOJ3hOysSMc4PSZEytiGxcxOllB1zlmU8IpUYcRnR9ieotbzPSg9wDt48pVcdSN1DI-2AiejkjNCYQWkQ2AWr_BuED71CtyPrh5wdxr9uyf5S36prsljzCuh8O5lg9ZdaRkue52nBSv7f9QGq4Dmn</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2093774829</pqid></control><display><type>article</type><title>Shepherd: Enabling Automatic and Large-Scale Login Security Studies</title><source>Publicly Available Content Database</source><creator>Jonker, Hugo ; Kalkman, Jelmer ; Krumnow, Benjamin ; Sleegers, Marc ; Verresen, Alan</creator><creatorcontrib>Jonker, Hugo ; Kalkman, Jelmer ; Krumnow, Benjamin ; Sleegers, Marc ; Verresen, Alan</creatorcontrib><description>More and more parts of the internet are hidden behind a login field. This poses a barrier to any study predicated on scanning the internet. Moreover, the authentication process itself may be a weak point. To study authentication weaknesses at scale, automated login capabilities are needed. In this work we introduce Shepherd, a scanning framework to automatically log in on websites. The Shepherd framework enables us to perform large-scale scans of post-login aspects of websites. Shepherd scans a website for login fields, attempts to submit credentials and evaluates whether login was successful. We illustrate Shepherd's capabilities by means of a scan for session hijacking susceptibility. In this study, we use a set of unverified website credentials, some of which will be invalid. Using this set, Shepherd is able to fully automatically log in and verify that it is indeed logged in on 6,273 unknown sites, or 12.4% of the test set. We found that from our (biased) test set, 2,579 sites, i.e., 41.4%, are vulnerable to simple session hijacking attacks.</description><identifier>EISSN: 2331-8422</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Access control ; Authentication ; Automation ; Cybersecurity ; Internet ; Websites</subject><ispartof>arXiv.org, 2018-08</ispartof><rights>2018. This work is published under http://arxiv.org/licenses/nonexclusive-distrib/1.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://www.proquest.com/docview/2093774829?pq-origsite=primo$$EHTML$$P50$$Gproquest$$Hfree_for_read</linktohtml><link.rule.ids>780,784,25753,37012,44590</link.rule.ids></links><search><creatorcontrib>Jonker, Hugo</creatorcontrib><creatorcontrib>Kalkman, Jelmer</creatorcontrib><creatorcontrib>Krumnow, Benjamin</creatorcontrib><creatorcontrib>Sleegers, Marc</creatorcontrib><creatorcontrib>Verresen, Alan</creatorcontrib><title>Shepherd: Enabling Automatic and Large-Scale Login Security Studies</title><title>arXiv.org</title><description>More and more parts of the internet are hidden behind a login field. This poses a barrier to any study predicated on scanning the internet. Moreover, the authentication process itself may be a weak point. To study authentication weaknesses at scale, automated login capabilities are needed. In this work we introduce Shepherd, a scanning framework to automatically log in on websites. The Shepherd framework enables us to perform large-scale scans of post-login aspects of websites. Shepherd scans a website for login fields, attempts to submit credentials and evaluates whether login was successful. We illustrate Shepherd's capabilities by means of a scan for session hijacking susceptibility. In this study, we use a set of unverified website credentials, some of which will be invalid. Using this set, Shepherd is able to fully automatically log in and verify that it is indeed logged in on 6,273 unknown sites, or 12.4% of the test set. We found that from our (biased) test set, 2,579 sites, i.e., 41.4%, are vulnerable to simple session hijacking attacks.</description><subject>Access control</subject><subject>Authentication</subject><subject>Automation</subject><subject>Cybersecurity</subject><subject>Internet</subject><subject>Websites</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2018</creationdate><recordtype>article</recordtype><sourceid>PIMPY</sourceid><recordid>eNqNyr0OgjAUQOHGxESivMNNnElqCwJuhmAc2OpOKlyhBFvsz-Db6-ADOJ3hOysSMc4PSZEytiGxcxOllB1zlmU8IpUYcRnR9ieotbzPSg9wDt48pVcdSN1DI-2AiejkjNCYQWkQ2AWr_BuED71CtyPrh5wdxr9uyf5S36prsljzCuh8O5lg9ZdaRkue52nBSv7f9QGq4Dmn</recordid><startdate>20180802</startdate><enddate>20180802</enddate><creator>Jonker, Hugo</creator><creator>Kalkman, Jelmer</creator><creator>Krumnow, Benjamin</creator><creator>Sleegers, Marc</creator><creator>Verresen, Alan</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope></search><sort><creationdate>20180802</creationdate><title>Shepherd: Enabling Automatic and Large-Scale Login Security Studies</title><author>Jonker, Hugo ; Kalkman, Jelmer ; Krumnow, Benjamin ; Sleegers, Marc ; Verresen, Alan</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-proquest_journals_20937748293</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2018</creationdate><topic>Access control</topic><topic>Authentication</topic><topic>Automation</topic><topic>Cybersecurity</topic><topic>Internet</topic><topic>Websites</topic><toplevel>online_resources</toplevel><creatorcontrib>Jonker, Hugo</creatorcontrib><creatorcontrib>Kalkman, Jelmer</creatorcontrib><creatorcontrib>Krumnow, Benjamin</creatorcontrib><creatorcontrib>Sleegers, Marc</creatorcontrib><creatorcontrib>Verresen, Alan</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science & Engineering Collection</collection><collection>ProQuest Central (Alumni)</collection><collection>ProQuest Central</collection><collection>ProQuest Central Essentials</collection><collection>AUTh Library subscriptions: ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering collection</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Jonker, Hugo</au><au>Kalkman, Jelmer</au><au>Krumnow, Benjamin</au><au>Sleegers, Marc</au><au>Verresen, Alan</au><format>book</format><genre>document</genre><ristype>GEN</ristype><atitle>Shepherd: Enabling Automatic and Large-Scale Login Security Studies</atitle><jtitle>arXiv.org</jtitle><date>2018-08-02</date><risdate>2018</risdate><eissn>2331-8422</eissn><abstract>More and more parts of the internet are hidden behind a login field. This poses a barrier to any study predicated on scanning the internet. Moreover, the authentication process itself may be a weak point. To study authentication weaknesses at scale, automated login capabilities are needed. In this work we introduce Shepherd, a scanning framework to automatically log in on websites. The Shepherd framework enables us to perform large-scale scans of post-login aspects of websites. Shepherd scans a website for login fields, attempts to submit credentials and evaluates whether login was successful. We illustrate Shepherd's capabilities by means of a scan for session hijacking susceptibility. In this study, we use a set of unverified website credentials, some of which will be invalid. Using this set, Shepherd is able to fully automatically log in and verify that it is indeed logged in on 6,273 unknown sites, or 12.4% of the test set. We found that from our (biased) test set, 2,579 sites, i.e., 41.4%, are vulnerable to simple session hijacking attacks.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext |
| identifier | EISSN: 2331-8422 |
| ispartof | arXiv.org, 2018-08 |
| issn | 2331-8422 |
| language | eng |
| recordid | cdi_proquest_journals_2093774829 |
| source | Publicly Available Content Database |
| subjects | Access control Authentication Automation Cybersecurity Internet Websites |
| title | Shepherd: Enabling Automatic and Large-Scale Login Security Studies |
| url | http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-30T22%3A36%3A32IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=document&rft.atitle=Shepherd:%20Enabling%20Automatic%20and%20Large-Scale%20Login%20Security%20Studies&rft.jtitle=arXiv.org&rft.au=Jonker,%20Hugo&rft.date=2018-08-02&rft.eissn=2331-8422&rft_id=info:doi/&rft_dat=%3Cproquest%3E2093774829%3C/proquest%3E%3Cgrp_id%3Ecdi_FETCH-proquest_journals_20937748293%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=2093774829&rft_id=info:pmid/&rfr_iscdi=true |