To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape
Jannis Rautenstrauch, Metodi Mitkov, Thomas Helbrecht, Lorenz Hetterich, Ben Stock
IEEE Symposium on Security and Privacy 2024 · Day 1 · Continental Ballroom 6
Traditional web security research often relies on automated crawlers that interact with websites as unauthenticated users, starting each session from a fresh browser state. This approach, while efficient for broad surveys, fundamentally overlooks the experience of an authenticated user – someone logged into their account, interacting with a personalized portal, or accessing application-specific functionalities. This talk, "To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape," presented by Jannis Rautenstrauch and his colleagues Metodi Mitkov, Thomas Helbrecht, Lorenz Hetterich, and Ben Stock at IEEE S&P, directly addresses this critical blind spot.
AI review
This research meticulously dismantles the flawed premise of unauthenticated-only web security assessments, proving that a significant portion of the attack surface, particularly client-side XSS and third-party integrations, is only visible post-login. The methodology is robust, the findings are concrete, and the implications for both defenders and researchers are profound. This isn't just a paper; it's a re-calibration of how we measure web security.