AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations
Author(s): Guangdong Bai, Jike Lei, Guozhu Meng, Sai Sathyanarayan Venkatraman, Prateek Saxena, Jun Sun, Yang Liu, and Jin Song Dong
Download: Paper (PDF)
Date: 23 Apr 2013
Document Type: Presentations
Additional Documents: Slides
Associated Event: NDSS Symposium 2013
This paper addresses the problem of automatically extracting specifications from implementations and finding security flaws in them. We propose AUTHSCAN, an end-to-end platform to recover the authentication protocol specification from its implementations. AUTHSCAN finds a total of 7 security vulnerabilities in web applications using SSO protocol implementations and in custom web authentication logic of several web sites with millions of users.