Jannis Rautenstrauch

Jannis Rautenstrauch

he/him

Web security researcher and PhD student at CISPA

To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape

Jannis Rautenstrauch, Metodi Mitkov, Thomas Helbrecht, Lorenz Hetterich, and Ben Stock
In 45th IEEE Symposium on Security and Privacy, May 2024
Paper Code Slides Video DOI BibTeX

Abstract

The web has evolved from a way to serve static content into a full-fledged application platform. Given its pervasive presence in our daily lives, it is therefore imperative to conduct studies that accurately reflect the state of security on the web. Many research works have focussed on detecting vulnerabilities, measuring security header deployment, or identifying roadblocks to a more secure web. To conduct these studies at a large scale, they all have a common denominator: they operate in automated fashions without human interaction, i.e., visit applications in an unauthenticated manner.

To understand whether this unauthenticated view of the web accurately reflects its security as observed by regular users, we conduct a comparative analysis of 200 websites. By relying on a semi-automated framework to log into applications and crawl them, we analyze the differences between unauthenticated and authenticated states w.r.t. client-side XSS flaws, usage of security headers, postMessage handlers, and JavaScript inclusions. In doing so, we discover that the unauthenticated web could provide a significantly skewed picture of security depending on the type of research question.

BibTeX

Download BibTeX or copy below:

@inproceedings{rautenstrauchAuthNotAuth2024,
  title = {To {{Auth}} or {{Not To Auth}}? {{A Comparative Analysis}} of the {{Pre-}} and {{Post-Login Security Landscape}}},
  shorttitle = {To {{Auth}} or {{Not To Auth}}?},
  booktitle = {{{IEEE Symposium}} on {{Security}} and {{Privacy}}},
  author = {Rautenstrauch, Jannis and Mitkov, Metodi and Helbrecht, Thomas and Hetterich, Lorenz and Stock, Ben},
  date = {2024},
  publisher = {IEEE Computer Society},
  doi = {10.1109/SP54263.2024.00094},
  abstract = {The web has evolved from a way to serve static content into a full-fledged application platform. Given its pervasive presence in our daily lives, it is therefore imperative to conduct studies that accurately reflect the state of security on the web. Many research works have focussed on detecting vulnerabilities, measuring security header deployment, or identifying roadblocks to a more secure web. To conduct these studies at a large scale, they all have a common denominator: they operate in automated fashions without human interaction, i.e., visit applications in an unauthenticated manner.To understand whether this unauthenticated view of the web accurately reflects its security as observed by regular users, we conduct a comparative analysis of 200 websites. By relying on a semi-automated framework to log into applications and crawl them, we analyze the differences between unauthenticated and authenticated states w.r.t. client-side XSS flaws, usage of security headers, postMessage handlers, and JavaScript inclusions. In doing so, we discover that the unauthenticated web could provide a significantly skewed picture of security depending on the type of research question.},
  isbn = {9798350331301},
  langid = {english}
}