+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

What is a Pass-The-Cookie Attack?

By using Pass-the-cookie techniques, attackers can access web applications without knowing a userid, password or even the one-time password from a multi-factor system. And if the web application in question is the management console for your AWS, Google or Azure environment then they stolen have the keys to your kingdom.

In January 2021, CISA drew attention to an increase in attacks against Cloud based infrastructures using pass-the-cookie attacks. So, what is a pass-the-cookie attack, and how can you defend against it?

What are Session Cookies?

Cookies are small amounts of data stored in the cache of a web browser and echoed back to the same website that created them.  Each browser maintains its own independent cookie storage database – so cookies saved from a site accessed using Firefox are not visible to Chrome, for example. One of the things achieved by opening a Private Browsing / Incognito window in a browser is that window is provided with a new, empty, temporary cookie database. Although the private mode behaviour of each browser differs slightly. (For example, each tab in Private mode Safari operates with its own independent cookie database, whereas all tabs open in the same Private Chrome window share the same transient cookie database.)

A session cookie is simply a cookie that is storing information used by the web application to manage the current user’s session. It is stored in the main cookie database of the web browser with all the others.

Session Cookies are generated by the web application after a user has logged in successfully.  This means a session cookie confirms that the userid and password are valid, and the user has successfully passed any multi-factor authentication challenges such as using a dongle, bio-metric authentication or submitted a one-time password.

When a web application receives a request from a browser a copy of the session cookie is included. The web application validates the session cookie and uses it to authenticate and authorise the request.  Sending the session cookie is more secure and convenient than repeatedly transmitting the userid and password of the current user. The session cookie should be designed with a time limited life of a few minutes or hours depending on the nature of the web application. However, while the session cookie is still valid – it is a master key providing access to the web application for anyone able to steal a copy.

The two key facts to remember about session cookies:

  1. The session cookie is generated AFTER any multi-factor authentication has taken place
  2. The cookie is accepted by the server as proof of authentication without the need to know or provide a username or password

Session cookies can be protected by ensuring they are not left on endpoint systems any longer than necessary.  A session cookie should be deleted automatically by the browser when the user logs out of the web application (i.e. the session has been ended) – this is why it is best practice to always log out of web applications and not simply shut the browser tab or leave it idle in the background.  Session cookies might be deleted when the user shuts down the web browser depending on the configuration settings for the browser – however this is not as reliable as logging out of the web application as a means of clearing any session cookies.

What is a Pass-the-cookie Attack

A pass-the-cookie attack happens when a malicious user is able to get a copy of a valid cookie and then inject it into their own session while interacting with the target web application.  The cookie could be stolen through a number of attack vectors, including: a man-in-the-middle-attack by intercepting the traffic between the user and the web application, or by monitoring network traffic if the web application does not follow secure design principles.  The cookie could also be stolen from the local browser cache or the memory of running processes by malware that has been installed onto the target user’s computer.

Firefox, for example, stores all the cookies in a local SQLite database which can be accessed with a variety of hacker tools such as firefox_creds.

If the cookie acquired is a session cookie, then the attacker is able to inject that into their own session while accessing the web application using the developer tools built into their web browser.  On doing this, the web application will trust the session cookie and grant the attacker all the rights and access of the user who originally logged in to create the session.  This access will persist for as long as the session cookies are configured to remain valid as defined by the web application.

The migration to cloud based environments means that targets valuable to criminals such as file and database servers are no longer present on the main network in many organisations.  As a result, attackers that have infiltrated a network are prioritising the search for session cookies that grant access to cloud environment management consoles. Capturing the session cookie for a user with administrator access to the AWS or Azure management console potentially gives the attackers full control over the whole cloud environment. The attackers could then grant themselves persistent access, install ransomware on any server or even shut down servers and lock out the organisation’s own support staff.

Mitigating Pass-The-Cookie Attacks

Developers of web applications can take steps to make their applications more resilient to pass-the-cookie attacks.  This could include:

  • Reducing the lifetime of session cookies so they expire more quickly thereby reducing the window of opportunity to steal and make use of them.
  • Use additional meta-data to invalidate the session such as unexpected source IP or time of day of access. In this scenario a stolen session cookie would not be considered valid by the web application if the source IP address it is sent from changes during the life of the session as this could indicate the cookie has moved from a legitimate user onto the system of an attacker.
  • Require Client-Side certificates. With a small number of users, client-side certificates make pass-the-cookie attacks more challenging as the attacker would need to obtain a copy of the certificate as well as the session cookie. However, with larger user populations client side certificates can prove to be a logistical and administrative nightmare and so may not be viable for some systems.

To avoid pass-the-cookie attacks being used to pivot to cloud infrastructures, good security hygiene is needed by the cloud administrators including:

  • Access Cloud admin consoles using Incognito mode to reduce persistent cookie storage on desktop systems.
  • Explicitly log off from Cloud admin consoles as soon as a task is completed and close the browser application completely to force the deletion of session cookies.
  • Regularly monitor user access logs for the cloud environment to identify unusual access patterns.
  • Create multiple user accounts with different access permissions based on the least privilege principle – this can limit the utility and value of stolen session cookies.

In many cases, the session cookie is stolen from the endpoint running the browser that is accessing the target web application.  In other words, these pass-the-cookie attacks are post-infiltration attacks – and preventing the attackers from getting into your network in the first place is the most effective mitigation:

 

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.