https://github.com/cispa/login-security-landscape

Code for our 2024 IEEE S&P Paper "To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape"

https://github.com/cispa/login-security-landscape

Science Score: 13.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
  • .zenodo.json file
  • DOI references
    Found 1 DOI reference(s) in README
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (11.9%) to scientific vocabulary
Last synced: 10 months ago · JSON representation

Repository

Code for our 2024 IEEE S&P Paper "To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape"

Basic Info
Statistics
  • Stars: 5
  • Watchers: 3
  • Forks: 1
  • Open Issues: 0
  • Releases: 0
Created over 2 years ago · Last pushed over 2 years ago
Metadata Files
Readme License

README.md

To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape

This repository contains the code of our paper "To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape" IEEE S&P 2024.

Our code is organized into three distinct modules that can all run independently or together. For a high-level description of the modules please see below. Detailed instructions for each module can be found in the respective folders.

Setup

Run git clone https://github.com/cispa/login-security-landscape --recurse-submodules, then follow the instructions in the respective subproject folders.

AccountFramework

The AccountFramework helps conducting experiments with logged-in sessions. It organizes the full process of finding registration options on websites, registering accounts for various identities, logging in and verifying that the login works, and the distribution of valid sessions to experiments.

Features: - Automatic registration and login form finding - Passwordmanager-supported registration task routines (requires manual input) - Automatic login handling (with manual fallback option) - Automatic login validation (with manual fallback option) - Session and Account Management APIs for experiments

PythonCrawler

The PythonCrawler is a modular crawling framework based on Playwright and implemented in Python. The provided modules HeadersExperiment and InclusionIssues correspond to experiments 5.2 Security Headers and 5.3 JavaScript Inclusions in the paper.

TypeScriptCrawler

The TypeScriptCrawler is a modular crawling framework based on Playwright and implemented in TypeScript. The provided modules cxss and pmsecurity correspond to experiments 5.1 Client-Side XSS and 5.4 PostMessages in the paper.

Contact

If there are questions about our tools or paper, please either file an issue or contact jannis.rautenstrauch (AT) cispa.de.

Research Paper

The paper is available at the IEEE Computer Society Digital Library. You can cite our work with the following BibTeX entry: latex @inproceedings{rautenstrauch2024auth, author = {Rautenstrauch, Jannis and Mitkov, Metodi and Helbrecht, Thomas and Hetterich, Lorenz and Stock, Ben}, booktitle = {IEEE Symposium on Security and Privacy}, title = {{To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape}}, year = {2024}, doi = {10.1109/SP54263.2024.00094}, }

Owner

  • Name: CISPA
  • Login: cispa
  • Kind: organization
  • Email: front-office@cispa.de
  • Location: Saarbrücken, Saarland, Germany

GitHub Events

Total
  • Watch event: 1
  • Issue comment event: 1
Last Year
  • Watch event: 1
  • Issue comment event: 1

Dependencies

AccountFramework/Dockerfile docker
  • mcr.microsoft.com/playwright v1.40.0-jammy build
PythonCrawler/Dockerfile docker
  • mcr.microsoft.com/playwright v1.40.0-jammy build
TypeScriptCrawler/Dockerfile docker
  • mcr.microsoft.com/playwright v1.33.0-focal build
TypeScriptCrawler/src/package-lock.json npm
  • 245 dependencies
TypeScriptCrawler/src/package.json npm
  • @types/node 18.19.3 development
  • @types/node-schedule 2.1.0 development
  • @types/uuid 9.0.1 development
  • @types/validator 13.7.12 development
  • @typescript-eslint/eslint-plugin 6.4.0 development
  • @typescript-eslint/parser 6.4.0 development
  • eslint 8.47.0 development
  • tslib 2.5.0 development
  • argparse 2.0.1
  • csv-parse 5.3.6
  • dotenv 16.0.3
  • md5 2.3.0
  • moment 2.29.4
  • node-fetch 2.6.7
  • node-schedule 2.1.1
  • normalize-url 6.1.0
  • pg 8.9.0
  • pino 8.8.0
  • pino-multi-stream 6.0.0
  • pino-pretty 9.1.1
  • playwright 1.33.0
  • reflect-metadata 0.1.13
  • sequelize 6.28.2
  • sequelize-typescript 2.1.5
  • tld-extract 2.1.0
  • zeromq 6.0.0-beta.16
TypeScriptCrawler/src/snippets/insecure-webpages/package-lock.json npm
  • accepts 1.3.8
  • array-flatten 1.1.1
  • body-parser 1.20.1
  • bytes 3.1.2
  • call-bind 1.0.5
  • content-disposition 0.5.4
  • content-type 1.0.5
  • cookie 0.5.0
  • cookie-signature 1.0.6
  • debug 2.6.9
  • define-data-property 1.1.1
  • depd 2.0.0
  • destroy 1.2.0
  • ee-first 1.1.1
  • encodeurl 1.0.2
  • escape-html 1.0.3
  • etag 1.8.1
  • express 4.18.2
  • finalhandler 1.2.0
  • forwarded 0.2.0
  • fresh 0.5.2
  • function-bind 1.1.2
  • get-intrinsic 1.2.2
  • gopd 1.0.1
  • has-property-descriptors 1.0.1
  • has-proto 1.0.1
  • has-symbols 1.0.3
  • hasown 2.0.0
  • http-errors 2.0.0
  • iconv-lite 0.4.24
  • inherits 2.0.4
  • ipaddr.js 1.9.1
  • media-typer 0.3.0
  • merge-descriptors 1.0.1
  • methods 1.1.2
  • mime 1.6.0
  • mime-db 1.52.0
  • mime-types 2.1.35
  • ms 2.0.0
  • ms 2.1.3
  • negotiator 0.6.3
  • object-inspect 1.13.1
  • on-finished 2.4.1
  • parseurl 1.3.3
  • path-to-regexp 0.1.7
  • proxy-addr 2.0.7
  • qs 6.11.0
  • range-parser 1.2.1
  • raw-body 2.5.1
  • safe-buffer 5.2.1
  • safer-buffer 2.1.2
  • send 0.18.0
  • serve-static 1.15.0
  • set-function-length 1.1.1
  • setprototypeof 1.2.0
  • side-channel 1.0.4
  • statuses 2.0.1
  • toidentifier 1.0.1
  • type-is 1.6.18
  • unpipe 1.0.0
  • utils-merge 1.0.1
  • vary 1.1.2
TypeScriptCrawler/src/snippets/insecure-webpages/package.json npm
  • express 4.18.2
AccountFramework/app/requirements.txt pypi
  • Flask ==2.2.2
  • bullet ==2.2.0
  • httpx ==0.24.1
  • numpy ==1.24.0
  • pandas ==2.0.2
  • peewee ==3.15.4
  • playwright ==1.40.0
  • psycopg2 ==2.9.3
  • pyzmq ==25.0.0
  • requests ==2.28.1
  • scikit-learn ==1.2.0
  • tld ==0.12.6
  • tranco ==0.6
  • watchdog ==2.2.1
PythonCrawler/src/requirements.txt pypi
  • jupyterlab ==4.0.9
  • matplotlib ==3.8.2
  • numpy ==1.26.2
  • pandas ==2.1.3
  • peewee ==3.17.0
  • playwright ==1.40.0
  • psycopg2 ==2.9.9
  • pyzmq ==25.1.1
  • retirejs ==1.5
  • scikit-learn ==1.3.2
  • tld ==0.13