Shepherd: a Generic Approach to Automating Website Login

Abstract: To gauge adoption of web security measures, largescale testing of website security is needed. However, the diversity of modern websites makes a structured approach to testing a daunting task. This is especially a problem with respect to logging in: there are many subtle deviations in the flow of the login process between websites. Current efforts investigating login security typically are semi-automated, requiring manual intervention which does not scale well. Hence, comprehensive studies of post-login areas h… Show more

“…For example, sites where registration is simple and accounts are not associated with (personal) value will be prevalent, while other accounts (banks, social media, online stores), will be underrepresented or even absent due to the rules governing the crowdsourcing effort. The current largest study based on this approach [4] gathered credentials for ∼50K sites, and was successful on 7.1K of these (14%).…”

“…To collect data, we use Shepherd [4], a crawling framework based on Selenium and WebDriver to automate interaction with the Chromium browser. It uses a multi-step approach to automate the login process for unknown sites.…”

“…However, web session security studies have been fairly limited so far. Analyzing web session security requires authenticated access to web applications, which is a difficult process to automate [4]. Thus, prior work on web session security reported on either (i) small-scale precise measurements involving a significant amount of manual effort [5,6,7], or (ii) large-scale measurements based on unauthenticated access to web applications, which miss valuable information, e.g., the login and logout processes [8].…”

“…We build our work on top of the Shepherd framework [4] for automated postlogin studies, which we extend to mechanize the logout process and include new traffic collection facilities. Our analysis is designed to be non-intrusive and ethical: we leverage existing access credentials of popular sites from the public BugMeNot 1 database and we check compliance with security best practices without actively mounting attacks when we might violate existing terms of services.…”

“…1. We use Shepherd [4] to create a data set of traffic and client-side storage related to all phases of session security: logging in, post-login, logging out.…”

Measuring Web Session Security at Scale

“…For example, sites where registration is simple and accounts are not associated with (personal) value will be prevalent, while other accounts (banks, social media, online stores), will be underrepresented or even absent due to the rules governing the crowdsourcing effort. The current largest study based on this approach [4] gathered credentials for ∼50K sites, and was successful on 7.1K of these (14%).…”

“…To collect data, we use Shepherd [4], a crawling framework based on Selenium and WebDriver to automate interaction with the Chromium browser. It uses a multi-step approach to automate the login process for unknown sites.…”

“…However, web session security studies have been fairly limited so far. Analyzing web session security requires authenticated access to web applications, which is a difficult process to automate [4]. Thus, prior work on web session security reported on either (i) small-scale precise measurements involving a significant amount of manual effort [5,6,7], or (ii) large-scale measurements based on unauthenticated access to web applications, which miss valuable information, e.g., the login and logout processes [8].…”

“…We build our work on top of the Shepherd framework [4] for automated postlogin studies, which we extend to mechanize the logout process and include new traffic collection facilities. Our analysis is designed to be non-intrusive and ethical: we leverage existing access credentials of popular sites from the public BugMeNot 1 database and we check compliance with security best practices without actively mounting attacks when we might violate existing terms of services.…”

“…1. We use Shepherd [4] to create a data set of traffic and client-side storage related to all phases of session security: logging in, post-login, logging out.…”

Measuring Web Session Security at Scale

Quantifying User Password Exposure to Third-Party CDNs

Load-and-Act: Increasing Page Coverage of Web Applications