AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations

Author(s): Guangdong Bai, Jike Lei, Guozhu Meng, Sai Sathyanarayan Venkatraman, Prateek Saxena, Jun Sun, Yang Liu, and Jin Song Dong

Download: Paper (PDF)

Date: 23 Apr 2013

Document Type: Presentations

Additional Documents: Slides

Associated Event: NDSS Symposium 2013

Abstract:

This paper addresses the problem of automatically extracting specifications from implementations and finding security flaws in them. We propose AUTHSCAN, an end-to-end platform to recover the authentication protocol specification from its implementations. AUTHSCAN finds a total of 7 security vulnerabilities in web applications using SSO protocol implementations and in custom web authentication logic of several web sites with millions of users.