rautenstrauch2024auth.pdf (306.29 kB)

To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape

Download (306.29 kB)
conference contribution
posted on 2024-05-15, 10:46 authored by Jannis RautenstrauchJannis Rautenstrauch, Metodi Mitkov, Thomas Helbrecht, Lorenz Andreas Hetterich, Ben StockBen Stock
The web has evolved from a way to serve static content into a full-fledged application platform. Given its pervasive presence in our daily lives, it is therefore imperative to conduct studies that accurately reflect the state of security on the web. Many research works have focussed on detecting vulnerabilities, measuring security header deployment, or identifying roadblocks to a more secure web. To conduct these studies at a large scale, they all have a common denominator: they operate in automated fashions without human interaction, i.e., visit applications in an unauthenticated manner. To understand whether this unauthenticated view of the web accurately reflects its security as observed by regular users, we conduct a comparative analysis of 200 websites. By relying on a semi-automated framework to log into applications and crawl them, we analyze the differences between unauthenticated and authenticated states w.r.t. client-side XSS flaws, usage of security headers, postMessage handlers, and JavaScript inclusions. In doing so, we discover that the unauthenticated web could provide a significantly skewed picture of security depending on the type of research question.


Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

IEEE Symposium on Security and Privacy (S&P)


@conference{Rautenstrauch:Mitkov:Helbrecht:Hetterich:Stock:2024, title = "To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape", author = "Rautenstrauch, Jannis" AND "Mitkov, Metodi" AND "Helbrecht, Thomas" AND "Hetterich, Lorenz Andreas" AND "Stock, Ben", year = 2024, month = 5, doi = "10.1109/SP54263.2024.00094" }

Usage metrics


    No categories selected



    Ref. manager