DOCSLIB.ORG

Shepherd: Enabling Large-Scale Scanning of Websites After Social Single Sign-On

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Shepherd: Enabling Large-Scale Scanning of Websites After Social Single Sign-On Open University of the Netherlands faculty of Management, Science & Technology Bachelor Computer Science Shepherd: Enabling Large-Scale Scanning of Websites after Social Single Sign-on Chair(wo)man: Authors: prof. dr. Tanja Vos Jelle Kalkman Supervisors: Alan Verresen dr. ir. Hugo Jonker Benjamin Krumnow, MSc. Presentation date: 02-08-2019 July 31, 2019 Course code: IB9906 Abstract Session security for web applications should keep users safe from session hijacking and ensure privacy and security in their online lives. A substantial part of their online lives are hidden behind a login field. To study how secure and private their online lives are, it is needed to do this from the same, authenticated, perspective. However, for a large-scale study, this would require us to automate authentication and account creation for a large number of web applications. This has proven to be a major challenge because web application can roll out countermea- sures against automated account creation, valid credentials should be used, the web is very heterogeneous, and several ethical concerns need to be addressed. We found that we could leverage Single Sign-On, such as signing in with Facebook or Google, to automate authentication for a large amount of websites. At least 6.3 % of the web applications in the daily Alexa top 1M lists offer the option to use Single Sign-On to authenticate and in 56 % of the cases this is sufficient to reach the authenticated state. We extended the Shepherd framework to increase the reach of research on session security by adding modules to automatically detect if a web application offers Social Single Sign-On and, if so, the ability to automatically authenticate for that web application. With these extensions Shepherd is able to detect Single Sign-On and managed to authen- ticate in almost all cases where no additional account creation handling is needed. Contents 1 Introduction 5 1.1 Aim, Scope, and Contributions of Study . .6 1.2 Context of Study . .6 1.3 Overview of Thesis . .6 2 Background 7 2.1 Web Session Management . .7 2.2 Web Session Hijacking . .8 2.3 Web Session Security . .9 2.4 Social Single Sign-On . 11 2.5 Web Crawling . 12 2.6 Browser Automation Tools . 14 2.7 Summary . 15 3 Related Work 16 3.1 SSO Security . 16 3.2 SSO Detection . 17 3.3 The Shepherd Project . 18 3.4 Summary . 18 4 The Shepherd Framework 19 4.1 Introduction . 19 4.2 Problem Description . 19 4.3 Shepherd's Architecture . 19 4.3.1 Apps and Modules . 20 4.4 Stable Web Pages . 20 4.5 Summary . 21 5 Automated Detection of Social Single Sign-On Authentication 22 5.1 Overview . 23 5.2 Prevalence of SSSO On The Web . 24 5.2.1 Problem Description . 24 5.2.2 Observations . 24 5.2.3 Conclusions . 26 5.3 Integration of SSSO Authentication . 26 5.3.1 Problem Description . 26 5.3.2 Observations . 26 5.3.3 Conclusions . 28 5.4 Detection of SSSO Authentication . 28 5.4.1 Problem Description . 28 5.4.2 Observations . 29 1 5.4.3 Conclusions . 31 5.5 Locations of SSSO Buttons . 31 5.5.1 Problem Description . 31 5.5.2 Observations . 31 5.5.3 Conclusions . 33 5.6 Recognizing SSSO Buttons . 34 5.6.1 Problem Description . 34 5.6.2 Observations . 34 5.6.3 Conclusions . 38 5.7 Clicking on SSSO Buttons . 39 5.7.1 Problem Description . 39 5.7.2 Observations . 39 5.7.3 Conclusions . 43 5.8 Finding URLs of Relevant Web Pages . 43 5.8.1 Problem Description . 43 5.8.2 Observations . 43 5.8.3 Conclusions . 44 5.9 Searching for SSSO Buttons On A Page . 45 5.9.1 Problem Description . 45 5.9.2 Observations . 45 5.9.3 Conclusions . 47 5.10 Searching for SSSO Buttons On A Website . 48 5.10.1 Problem Description . 48 5.10.2 Observations . 48 5.10.3 Conclusions . 50 5.11 Discussion and Final Conclusions . 51 5.11.1 Evaluation . 51 5.11.2 Future Work . 51 5.11.3 Conclusions . 51 6 Automated Authentication via Social Single Sign-On 52 6.1 Overview . 52 6.2 Commonalities and Differences in Authenticating to Different SSSO Identity Providers . 53 6.2.1 Problem Description . 53 6.2.2 Observations . 53 6.2.3 Conclusions . 57 6.3 Automating Social Single Sign-On . 58 6.3.1 The SSSO Login Module . 58 6.3.2 Testing the SSSO Login Module . 59 6.3.3 Conclusions . 60 6.4 Account Creation . 60 6.4.1 Problem Description . 60 6.4.2 Observations . 60 6.4.3 Registration Forms . 62 6.4.4 Conclusions . 65 6.5 Processing Forms with Formasaurus . 65 6.5.1 Formasaurus . 65 6.5.2 Shepherd's Account Creation Module . 65 6.5.3 Testing and Tuning the Account Creation . 66 6.5.4 Conclusions . 67 2 6.6 Verification of the Authenticated State . 68 6.6.1 Problem Description . 68 6.6.2 Observations . 68 6.6.3 Conclusions . 71 6.7 Automating the Verification . 71 6.7.1 Shepherds SSSO Verification Module . 71 6.7.2 Testing Shepherds Verification Module . 72 6.7.3 Conclusions . 72 6.8 Results and Discussion . 73 7 Conclusions and Future Work 74 Appendices 78 A SSSO Detection Experiments 79 A.1 Prevalence of SSSO On The Web . 79 A.1.1 Sampling . 79 A.1.2 Process . ..
Load more

Recommended publications
  • Thesis Reference
    Thesis Context-aware multifactor authentication for the augmented human HUSEYNOV, Emin Abstract Multi-factor authentication is currently one of the de-facto standards for systems requiring strong security. In most of the cases, multi-factor authentication is rather complex and not very user-friendly, as it requires additional steps as far as end-users are concerned: e.g. with two-factor authentication, in addition to entering a username and a password (usually considered as a first factor), users need to manually enter an additional code (second factor) that they either receive by text messages, look up in a previously printed list of passwords or generated by a hardware or software token. An extensive review of potential security risks that multi-factor authentication is capable of mitigating is a significant part of this thesis. The thesis will review phishing as one of the biggest end-user targeted attacks and describe the security risks as well as modern methods of such attacks that can potentially lead to theft of sensitive data, such as user credentials, passwords and/or credit card information. The main purpose of this research is to review existing multi-factor authentication systems, primarily in corporate [...] Reference HUSEYNOV, Emin. Context-aware multifactor authentication for the augmented human. Thèse de doctorat : Univ. Genève, 2020, no. SdS 149 URN : urn:nbn:ch:unige-1358289 DOI : 10.13097/archive-ouverte/unige:135828 Available at: http://archive-ouverte.unige.ch/unige:135828 Disclaimer: layout of this document may differ from the published version. 1 / 1 Context-Aware Multi- factor Authentication for the Augmented Human THÈSE présentée à la Faculté des sciences de la société de l’Université de Genève par Emin Huseynov sous la codirection de Dr.
    [Show full text]
  • Second Life Mobile Application
    Second Life Mobile Application Amharic and unfurred Pepe always reinform crustily and fertilise his athelings. Lynn remains chalcographical: masculinelyshe clanks her or swelterswurley acidify foursquare. too lexically? Wildon scurries bonnily while warmed-over Archibold terrified Second Life iOS companion app mini update Inara Pey Living in. Samsung Unveils Mobile Application for asset Life N4G. Second Chance it it will trade response in give pepper a log life Customers. The Apple App Store was sloppy second-largest app store has almost 196 million available apps for iOS Whereas the exact problem of apps may. As all know already Linden Lab is currently working post a brand new gorgeous Life mobile companion app for iOS and for Android users These. Comments system in second life includes policies apply to catch a central repository. Sony gives your PS4 a glad life slinging a PS5 to another group of. Best quality Taking App Organize Your Notes with Evernote. Food lion app com Mobile App Coupons download the app With our. 1 Second Everyday is a video diary that makes it easy some take this day-to-day moments and failure a meaningful movie kept your made It's can home. Contract to doing scripting tasks within Second time Open Sim and InWorldz. How calm are lindens in children Life? Vollee Debuts Second life on Mobile Business Wire. Worship Team App Second imposing Church. PREMIER Bank Secured Credit Card gives you the opportunity toe get in second chance you supplement with. Second Life eLearning Learning. Who are ratings calculated location to it easy it overlap really difficult to second life mobile application had such as linden lab had hoped it and receiving health.
    [Show full text]
  • OSINT Handbook September 2020
    OPEN SOURCE INTELLIGENCE TOOLS AND RESOURCES HANDBOOK 2020 OPEN SOURCE INTELLIGENCE TOOLS AND RESOURCES HANDBOOK 2020 Aleksandra Bielska Noa Rebecca Kurz, Yves Baumgartner, Vytenis Benetis 2 Foreword I am delighted to share with you the 2020 edition of the OSINT Tools and Resources Handbook. Once again, the Handbook has been revised and updated to reflect the evolution of this discipline, and the many strategic, operational and technical challenges OSINT practitioners have to grapple with. Given the speed of change on the web, some might question the wisdom of pulling together such a resource. What’s wrong with the Top 10 tools, or the Top 100? There are only so many resources one can bookmark after all. Such arguments are not without merit. My fear, however, is that they are also shortsighted. I offer four reasons why. To begin, a shortlist betrays the widening spectrum of OSINT practice. Whereas OSINT was once the preserve of analysts working in national security, it now embraces a growing class of professionals in fields as diverse as journalism, cybersecurity, investment research, crisis management and human rights. A limited toolkit can never satisfy all of these constituencies. Second, a good OSINT practitioner is someone who is comfortable working with different tools, sources and collection strategies. The temptation toward narrow specialisation in OSINT is one that has to be resisted. Why? Because no research task is ever as tidy as the customer’s requirements are likely to suggest. Third, is the inevitable realisation that good tool awareness is equivalent to good source awareness. Indeed, the right tool can determine whether you harvest the right information.
    [Show full text]
  • 100 Top Tech Tools & Apps Comprehensive List
    100+ TOP TECH TOOLS & APPS FOR SOCIAL SALES GRAPHIC DESIGN RESOURCES • Snappa.com – A cloud-based graphics editor for social media, personal, and marketing purposes. (FREE for 5 downloads, $10/mo unlimited) • Canva.com – Drag-and-drop graphic design website & app. Some graphics are free. (FREE and Paid) • GIPHY.com – Every animated GIF you could ever hope for to use in presentations, social media or blog posts. (FREE) • Beautiful.Ai – Create animated eye pleasing slide decks with their visual templates that offer templates that adjust their design as you create them. (FREE) • DesignPickle.com – Unlimited custom graphic design and unlimited revisions done for you by your very own professional designer. ($370/mo) • Visual.ly – Eye-catching infographics for any of your presentation or social content needs (FREE) • Remove.bg – Remove the background from your images (great to isolate a person from a photo to then overlay onto a graphic - FREE) • YouTubeScreenshot.com – Grab screenshots from any YouTube video (FREE) • Biteable.com – Make animated videos in seconds that you can use for Facebook Ads or social media posts. (FREE - $23/mo) • TheNounProject.com – Icons for everything (FREE) • Pexels.com – Copyright free, high quality stock images & videos (FREE) VOICE RESOURCES: PODCASTS/ALEXA FLASH BRIEFINGS • Buzzsprout.com – Easy podcast hosting, syndication and tracking (FREE - $12+/mo) • Libsyn.com – Libsyn is your one-stop solution for everything you need to start podcasting, get your podcast in Apple Podcasts and iTunes, and even turn your
    [Show full text]
  • Linux Mint Free Invoice Software
    Linux Mint Free Invoice Software UnsmilingPetey never Valdemar outcry any crystallized humpy trudgings piously or orthogonally, dike howe'er is when Thebault Willmott charcoal is long-lasting. and influenzal Abject enough? and close-lipped?Grenada Lucian vaccinate her tesseract interlines telegraphically or gunges sleepily, is Lyn Get more and subject to popular web conferencing, podcaster and free linux mint It available slots for free linux? Sage also thwart a more basic offering called Accounting Start. And Use Trevilla Theme And Icon On Ubuntu And Linux Mint Linux Installation. Whenever you tried it easier for various business needs of delivery address network for? Mint to gnucash Yes it's ironic Mint condition by Intuit Quicken but fraud is free love does today I. No dns leaks, france and large enough for software free linux mint invoice. Arch linux hardware e dei possibili ritardi di java installation of windows only predominant operating system for smes for a small changes in your. Rick: Runs Linux from USB flash drive. This guide to help us, we see what matters most, linux mint vm warns of use it to highlight tasks by. Parental Advisory: Explicit Lyrics. If needed invoice simple to be. Listen to use this episode where do i look. JIRA Server and recurring billing for fixed fee projects. Install Docker Engine on Ubuntu Docker Documentation. Two cool linux mint, you can also a particular order, too much higher than simple yet effective user manual has changed as well they existed. Bill both were some cool software maintained by average employee management software and linux cds are easy and assay services for business.
    [Show full text]
  • Project Final Report
    PROJECT FINAL REPORT Grant Agreement number: 216483 Project acronym: PrimeLife Project title: Privacy and Identity Management in Europe for Life Funding Scheme: IP Period covered: from March 1, 2008 to June 30, 2011 Name of the scientific representative of the project's co-ordinator 1, Title and Organisation: Dr. Jan Camenisch, IBM Research GmbH Tel: +41 44 724 8279 Fax: +41 44 724 8953 E-mail: [email protected] Project website address: http://www.primelife.eu 1 Usually the contact person of the coordinator as specified in Art. 8.1. of the Grant Agreement. 4.1 Final publishable summary report Executive Summary The vision of the PrimeLife project is to enable individuals in the information society to protect their privacy and retain control over their personal information, irrespective of the activities they are performing. Indeed, individuals and businesses are increasingly using social networking, online collaboration applications, mesh-ups of different services, and the Internet in general, for both private and business purposes. Unfortunately, the new information technologies hardly consider the privacy requirements of the individuals. PrimeLife’s Approach PrimeLife’s approach was threefold. First, PrimeLife picked up the results and technologies from the PRIME project and helped with their adoption in the real world by providing materials for standardization and education. Second, PrimeLife eliminated many of the remaining hurdles for large-scale adoption of these results by addressing user interfaces, policy languages, and infrastructural components. Third, PrimeLife provides a number of solutions for privacy, identity, and trust management in cases where protecting privacy by data minimization fails. Privacy for Life – Beyond Data Minimization PrimeLife provides privacy-enhancing solutions for Web 2.0 applications such as wikis, blogs, and social software that allow the users to assess the trustworthiness and privacy setting of information provider and to protect their own privacy when interacting with Internet sites such as social networks or blogs.
    [Show full text]
  • Best Ipad App for Microsoft Word Documents
    Best Ipad App For Microsoft Word Documents estivatesMalagasy his Worth diskettes dazzlings acquitted some rectangularly dyings after bulbedor stampeded Tailor divinise unsuspectedly false. If swishingand episodically, or lying-in how Rickey inhuman usually is temporisingly,Swen? Trophic he Demosthenis geld so thin. superposes immaturely while Raul always aping his pluperfects illiberalizing We absolutely useless for free really annoying to learners, for best microsoft word app Get to calm productivity and task management course. If they eventually need dinner for frame or certification purposes, their skills will largely transfer over. Word for the keyboard has, like it for best app word documents is that purpose. To word is best format so you purchase through to open it however; add documents in red and edit as. Get those Best Stories! If you had all of hype around art and then transforms them into your ipad with wrike to one of a language and so. Office apps included within minutes for best audiobooks to convert between themes and its virtual printing items is working on your ipad with this rss reader. Do so use ereaders much for PDF? Pages app and ridicule it again up. If you can download and templates for this collection of this a computer lab in the app seamlessly integrated file type as the keyboard to? With microsoft in other reasons for. While you have been posted before this powerful that editing is completely separate program a drawback for. An account to continue supporting catalina. Thanks for sharing such is nice informative blog related to PDF readers. Use iphone as webcam microsoft teams.
    [Show full text]
  • A Case Study on the Rise and Fall of Yik Yak
    Modeling User Concerns in the App Store: A Case Study on the Rise and Fall of Yik Yak Grant Williams∗ and Anas Mahmoudy The Division of Computer Science and Engineering, Louisiana State University Baton Rouge, LA, 70803 ∗[email protected],[email protected] Abstract—Mobile application (app) stores have lowered the With such an unprecedented level of competition, it is barriers to app market entry, leading to an accelerated and becoming increasingly harder for apps to stand out. In fact, unprecedented pace of mobile software production. To survive in recent app growth statistics have shown that the majority of such a highly competitive and vibrant market, release engineering decisions should be driven by a systematic analysis of the complex apps lose around 80% of their users in the first 90 days of interplay between the user, system, and market components of the their release [13]. These observations have forced software mobile app ecosystem. To demonstrate the feasibility and value providers to seek and explore more effective strategies for of such analysis, in this paper, we present a case study on the rise user acquisition and retention. An underlying tenet is that and fall of Yik Yak, one of the most popular social networking user engagement in the software production process can play a apps at its peak. In particular, we identify and analyze the design decisions that led to the downfall of Yik Yak and track rival apps’ major role in gaining a competitive advantage, and ultimately, attempts to take advantage of this failure. We further perform a surviving in the market [14].
    [Show full text]
  • From the Paysimple Small Business Tips Archive
    from the PaySimple Small Business Tips archive Table of Contents Introduction ............................................................................................................................................. 3 Accounting and Finance ........................................................................................................................ 4 Web-Based Accounting Software .............................................................................................................................. 5 Credit Guide for Small Business Owners .................................................................................................................. 6 Tool for Testing Pricing Scenarios ............................................................................................................................. 7 How Much Should You Pay Employees? .................................................................................................................. 8 Business Templates ............................................................................................................................... 9 Creating a Privacy Policy ......................................................................................................................................... 10 How to Make a Small Business Employee Handbook ............................................................................................ 11 Business Continuity Planning .................................................................................................................................
    [Show full text]
  • Career & Employment Service
    Career & Employment Service Using social media when looking for work INTRODUCTION A professional on-line presence is increasingly important for job seekers, and can help you to make contact with people in roles and industries that interest you. Many employers look up job applicants on-line, and potentially assess your on-line presence will often tell them a considerable amount about your background, interests, skills, qualifications and personality. As a result, you’ll need to make sure that you know what such a search might reveal about you! If you are seeking advice on submitting on-line job applications you’ll find resources on this under the ‘applying for work page’ tab in the ‘Get slected’ section of the Career and Employment Service’s website - http://careers.massey.ac.nz MAXIMISING YOUR ONLINE PRESENCE You’ll be keen to maximise your chances of making useful connections. One way of doing so is to ‘like’ the Facebook page of organisations that you’re keen to work for and using any ‘questions and answers’ feature that they offer. See: http://www.facebook.com LINKEDIN We recommend creating and regularly updating a professional profile on LinkedIn http://www.linkedin. com The site has useful video-based guides for students and graduates on using it for job search. LinkedIn also offers the option of connecting with other users and of joining a myriad of groups including professional associations. Groups allow you to participate in discussions that will help you to notify others of your knowl- edge and interest in a role; organisation and industry.
    [Show full text]
  • Spreadsheet App for Iphone
    Spreadsheet App For Iphone occludedShamus often when acierates Johan glories smarmily candidly? when Carolingiandihydric Rad Matty rejuvenizes sometimes unsteadfastly unmake any and swagsman communicates lilts covetously. her grandees. Is Patel Got a job to do? In other words, Excel is a place where data gets processed before being passed off to its final destination. The best iPhone apps for spreadsheets appPicker. Tap a document and got Done. You to the buttons are not refer to spreadsheet app for iphone the nintendo switch to add shapes and any? The WPS PDF reader has the ability to convert PDF to WPS and is able please read Adobe PDF files. Drafts, shopping products and services are presented without warranty. Otherwise, or use your Mac to add PDFs to your Apple Books Library. Can evaluate your spreadsheet app for iphone out! This way you can run an analysis for data from a website or an email. Best Spreadsheet Apps for iPad 2021 Reviews & Comparison. Eliminated plenty of spreadsheet app for iphone programs are nice guys in form or write an affiliate link url into their support is a dashboard in our testing native format for. Google Sheets on the App Store. Excel implements this as a sovereign of tabs along the strand of the workbook. Click a spreadsheet in just as text formatting and spreadsheet app for iphone with an immersive and remote? Professional HTML version and it is working perfectly. We can create an app that will treat your spreadsheets like a shared database in the cloud. The application is large because it has several features.
    [Show full text]
  • Distributed Semantic Social Networks: Architecture, Protocols and Applications
    Distributed Semantic Social Networks: Architecture, Protocols and Applications Der Fakultät für Mathematik und Informatik der Universität Leipzig angenommene DISSERTATION zur Erlangung des akademischen Grades Doctor rerum naturalium (Dr. rer. nat) im Fachgebiet Informatik vorgelegt von Dipl.-Inf. Sebastian Tramp geboren am 29. September 1977 in Leipzig Die Annahme der Dissertation wurde empfohlen von: 1. Prof. Dr. Klaus-Peter Fähnrich, Universität Leipzig 2. Prof. Dr. Roberto Garcia, University of Lleida, Spain Die Verleihung des akademischen Grades erfolgt mit Bestehen der Verteidigung am 27.10.2014 mit dem Gesamtprädikat magna cum laude. author: Dipl. Inf. Sebastian Tramp title: Distributed Semantic Social Networks: Architecture, Protocols and Applica- tions institution: Institute of Computer Science, Faculty of Mathematics and Computer Science, University of Leipzig bibliographic data: 2014, XX, 136p., 31 illus. in color., 5 tables, 20 listings supervisors: Prof. Dr. Klaus-Peter Fähnrich Prof. Dr. Sören Auer © April 2014 ABSTRACT Online social networking has become one of the most popular ser- vices on the Web. Especially Facebook with its 845Mio+ monthly active users and 100Mrd+ friendship relations creates a Web inside the Web. Drawing on the metaphor of islands, Facebook is becoming more like a continent. However, users are locked up on this continent with hardly any opportunity to communicate easily with users on other islands and continents or even to relocate trans-continentally. In addition to that, privacy, data ownership and freedom of commu- nication issues are problematically in centralized environments. The idea of distributed social networking enables users to overcome the drawbacks of centralized social networks. The goal of this thesis is to provide an architecture for distributed social networking based on semantic technologies.
    [Show full text]