<efrbr:recordSet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:efrbr="http://vfrbr.info/efrbr/1.1" xmlns:efrbr-work="http://vfrbr.info/efrbr/1.1/work" xmlns:efrbr-expression="http://vfrbr.info/efrbr/1.1/expression" xmlns:efrbr-manifestation="http://vfrbr.info/efrbr/1.1/manifestation" xmlns:efrbr-person="http://vfrbr.info/efrbr/1.1/person" xmlns:efrbr-corporateBody="http://vfrbr.info/efrbr/1.1/corporateBody" xmlns:efrbr-concept="http://vfrbr.info/efrbr/1.1/concept" xmlns:efrbr-structure="http://vfrbr.info/efrbr/1.1/structure" xmlns:efrbr-responsible="http://vfrbr.info/efrbr/1.1/responsible" xmlns:efrbr-subject="http://vfrbr.info/efrbr/1.1/subject" xmlns:efrbr-other="http://vfrbr.info/efrbr/1.1/other" xsi:schemaLocation="http://vfrbr.info/efrbr/1.1 http://vfrbr.info/schemas/1.1/efrbr.xsd"><efrbr:entities><efrbr-work:work identifier="http://purl.tuc.gr/dl/dias/6BD2C596-CEC8-4BC6-89EF-3B9E7EA3275E"><efrbr-work:titleOfTheWork>The cookie hunter: automated black-box auditing for web authentication and authorization flaws</efrbr-work:titleOfTheWork></efrbr-work:work><efrbr-expression:expression identifier="http://purl.tuc.gr/dl/dias/6BD2C596-CEC8-4BC6-89EF-3B9E7EA3275E"><efrbr-expression:titleOfTheExpression>The cookie hunter: automated black-box auditing for web authentication and authorization flaws</efrbr-expression:titleOfTheExpression><efrbr-expression:formOfExpression vocabulary="DIAS:TYPES">
            Δημοσίευση σε Συνέδριο
            Conference Publication
         </efrbr-expression:formOfExpression><efrbr-expression:dateOfExpression type="issued">2022-01-07</efrbr-expression:dateOfExpression><efrbr-expression:dateOfExpression type="published">2020</efrbr-expression:dateOfExpression><efrbr-expression:languageOfExpression vocabulary="iso639-1">en</efrbr-expression:languageOfExpression><efrbr-expression:summarizationOfContent>In this paper, we focus on authentication and authorization flaws in web apps that enable partial or full access to user accounts. Specifically, we develop a novel fully automated black-box auditing framework that analyzes web apps by exploring their susceptibility to various cookie-hijacking attacks while also assessing their deployment of pertinent security mechanisms (e.g., HSTS). Our modular framework is driven by a custom browser automation tool developed to transparently offer fault-tolerance during extended interactions with web apps. We use our framework to conduct the first automated large-scale study of cookie-based account hijacking in the wild. As our framework handles every step of the auditing process in a completely automated manner, including the challenging process of account creation, we are able to fully audit 25K domains. Our framework detects more than 10K domains that expose authentication cookies over unencrypted connections, and over 5K domains that do not protect authentication cookies from JavaScript access while also embedding third party scripts that execute in the first party's origin. Our system also automatically identifies the privacy loss caused by exposed cookies and detects 9,324 domains where sensitive user data can be accessed by attackers (e.g., address, phone number, password). Overall, our study demonstrates that cookie-hijacking is a severe and prevalent threat, as deployment of even basic countermeasures (e.g., cookie security flags) is absent or incomplete, while developers struggle to correctly deploy more demanding mechanisms.</efrbr-expression:summarizationOfContent><efrbr-expression:useRestrictionsOnTheExpression type="creative-commons">http://creativecommons.org/licenses/by/4.0/</efrbr-expression:useRestrictionsOnTheExpression><efrbr-expression:note type="page range">1953–1970</efrbr-expression:note><efrbr-expression:note type="conference name">2020 ACM SIGSAC Conference on Computer and Communications Security</efrbr-expression:note><efrbr-expression:note type="proceedings title">Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security</efrbr-expression:note></efrbr-expression:expression><efrbr-person:person identifier="F64D249D-4980-4F9A-97E4-DF6F6B7E252D"><efrbr-person:nameOfPerson vocabulary="">
            Drakonakis Kostas
         </efrbr-person:nameOfPerson></efrbr-person:person><efrbr-person:person identifier="http://users.isc.tuc.gr/~sioannidis"><efrbr-person:nameOfPerson vocabulary="TUC:LDAP">
            Ioannidis Sotirios
            Ιωαννιδης Σωτηριος
         </efrbr-person:nameOfPerson></efrbr-person:person><efrbr-person:person identifier="DFB5F1FF-D50C-4EE2-A1D7-4D98A056FA75"><efrbr-person:nameOfPerson vocabulary="">
            Polakis Jason
         </efrbr-person:nameOfPerson></efrbr-person:person><efrbr-corporateBody:corporateBody identifier="https://v2.sherpa.ac.uk/id/publisher/21"><efrbr-corporateBody:nameOfTheCorporateBody vocabulary="S/R:PUBLISHERS">
            Association for Computing Machinery (ACM)
         </efrbr-corporateBody:nameOfTheCorporateBody></efrbr-corporateBody:corporateBody><efrbr-concept:concept identifier="EF7B60CA-4343-4D8D-A4F4-98FC6F95AEA2"><efrbr-concept:termForTheConcept>
            Black-box testing
         </efrbr-concept:termForTheConcept></efrbr-concept:concept><efrbr-concept:concept identifier="1D515821-6B99-4482-9E25-13BE07DBA3B4"><efrbr-concept:termForTheConcept>
            Cookie hijacking
         </efrbr-concept:termForTheConcept></efrbr-concept:concept><efrbr-concept:concept identifier="421FD421-D72D-45D5-8112-12F8AE759200"><efrbr-concept:termForTheConcept>
            Authentication
         </efrbr-concept:termForTheConcept></efrbr-concept:concept><efrbr-concept:concept identifier="4F9A1D01-F2E6-4523-9E44-A1B6492E1090"><efrbr-concept:termForTheConcept>
            Authorization
         </efrbr-concept:termForTheConcept></efrbr-concept:concept><efrbr-concept:concept identifier="EE5479F0-686C-4CA6-AFD7-B303495CDDF9"><efrbr-concept:termForTheConcept>
            Large-scale measurement
         </efrbr-concept:termForTheConcept></efrbr-concept:concept></efrbr:entities><efrbr:relationships><efrbr-structure:structureRelations><efrbr-structure:realizedThrough sourceEntity="work" sourceURI="http://purl.tuc.gr/dl/dias/6BD2C596-CEC8-4BC6-89EF-3B9E7EA3275E" targetEntity="expression" targetURI="http://purl.tuc.gr/dl/dias/6BD2C596-CEC8-4BC6-89EF-3B9E7EA3275E"/></efrbr-structure:structureRelations><efrbr-responsible:responsibleRelations><efrbr-responsible:createdBy sourceEntity="work" sourceURI="http://purl.tuc.gr/dl/dias/6BD2C596-CEC8-4BC6-89EF-3B9E7EA3275E" targetEntity="person" targetURI="F64D249D-4980-4F9A-97E4-DF6F6B7E252D"/><efrbr-responsible:realizedBy sourceEntity="expression" sourceURI="http://purl.tuc.gr/dl/dias/6BD2C596-CEC8-4BC6-89EF-3B9E7EA3275E" targetEntity="person" targetURI="F64D249D-4980-4F9A-97E4-DF6F6B7E252D" role="author"/><efrbr-responsible:realizedBy sourceEntity="expression" sourceURI="http://purl.tuc.gr/dl/dias/6BD2C596-CEC8-4BC6-89EF-3B9E7EA3275E" targetEntity="person" targetURI="http://users.isc.tuc.gr/~sioannidis" role="author"/><efrbr-responsible:realizedBy sourceEntity="expression" sourceURI="http://purl.tuc.gr/dl/dias/6BD2C596-CEC8-4BC6-89EF-3B9E7EA3275E" targetEntity="person" targetURI="DFB5F1FF-D50C-4EE2-A1D7-4D98A056FA75" role="author"/><efrbr-responsible:realizedBy sourceEntity="expression" sourceURI="http://purl.tuc.gr/dl/dias/6BD2C596-CEC8-4BC6-89EF-3B9E7EA3275E" targetEntity="person" targetURI="https://v2.sherpa.ac.uk/id/publisher/21" role="publisher"/></efrbr-responsible:responsibleRelations><efrbr-subject:subjectRelations><efrbr-subject:hasSubject sourceEntity="work" sourceURI="http://purl.tuc.gr/dl/dias/6BD2C596-CEC8-4BC6-89EF-3B9E7EA3275E" targetEntity="concept" targetURI="EF7B60CA-4343-4D8D-A4F4-98FC6F95AEA2"/><efrbr-subject:hasSubject sourceEntity="work" sourceURI="http://purl.tuc.gr/dl/dias/6BD2C596-CEC8-4BC6-89EF-3B9E7EA3275E" targetEntity="concept" targetURI="1D515821-6B99-4482-9E25-13BE07DBA3B4"/><efrbr-subject:hasSubject sourceEntity="work" sourceURI="http://purl.tuc.gr/dl/dias/6BD2C596-CEC8-4BC6-89EF-3B9E7EA3275E" targetEntity="concept" targetURI="421FD421-D72D-45D5-8112-12F8AE759200"/><efrbr-subject:hasSubject sourceEntity="work" sourceURI="http://purl.tuc.gr/dl/dias/6BD2C596-CEC8-4BC6-89EF-3B9E7EA3275E" targetEntity="concept" targetURI="4F9A1D01-F2E6-4523-9E44-A1B6492E1090"/><efrbr-subject:hasSubject sourceEntity="work" sourceURI="http://purl.tuc.gr/dl/dias/6BD2C596-CEC8-4BC6-89EF-3B9E7EA3275E" targetEntity="concept" targetURI="EE5479F0-686C-4CA6-AFD7-B303495CDDF9"/></efrbr-subject:subjectRelations><efrbr-other:otherRelations/></efrbr:relationships></efrbr:recordSet>