By using Pass-the-cookie techniques, attackers can access web applications without knowing a userid, password or even the one-time password from a multi-factor system. And if the web application in question is the management console for your AWS, Google or Azure environment then they stolen have the keys to your kingdom.

In January 2021, CISA drew attention to an increase in attacks against Cloud based infrastructures using pass-the-cookie attacks. So, what is a pass-the-cookie attack, and how can you defend against it?

What are Session Cookies?

Cookies are small amounts of data stored in the cache of a web browser and echoed back to the same website that created them.  Each browser maintains its own independent cookie storage database – so cookies saved from a site accessed using Firefox are not visible to Chrome, for example. One of the things achieved by opening a Private Browsing / Incognito window in a browser is that window is provided with a new, empty, temporary cookie database. Although the private mode behaviour of each browser differs slightly. (For example, each tab in Private mode Safari operates with its own independent cookie database, whereas all tabs open in the same Private Chrome window share the same transient cookie database.)

A session cookie is simply a cookie that is storing information used by the web application to manage the current user’s session. It is stored in the main cookie database of the web browser with all the others.

Session Cookies are generated by the web application after a user has logged in successfully.  This means a session cookie confirms that the userid and password are valid, and the user has successfully passed any multi-factor authentication challenges such as using a dongle, bio-metric authentication or submitted a one-time password.

When a web application receives a request from a browser a copy of the session cookie is included. The web application validates the session cookie and uses it to authenticate and authorise the request.  Sending the session cookie is more secure and convenient than repeatedly transmitting the userid and password of the current user. The session cookie should be designed with a time limited life of a few minutes or hours depending on the nature of the web application. However, while the session cookie is still valid – it is a master key providing access to the web application for anyone able to steal a copy.

The two key facts to remember about session cookies:

1. The session cookie is generated AFTER any multi-factor authentication has taken place
2. The cookie is accepted by the server as proof of authentication without the need to know or provide a username or password

Session cookies can be protected by ensuring they are not left on endpoint systems any longer than necessary.  A session cookie should be deleted automatically by the browser when the user logs out of the web application (i.e. the session has been ended) – this is why it is best practice to always log out of web applications and not simply shut the browser tab or leave it idle in the background.  Session cookies might be deleted when the user shuts down the web browser depending on the configuration settings for the browser – however this is not as reliable as logging out of the web application as a means of clearing any session cookies.

What is a Pass-the-cookie Attack

A pass-the-cookie attack happens when a malicious user is able to get a copy of a valid cookie and then inject it into their own session while interacting with the target web application.  The cookie could be stolen through a number of attack vectors, including: a man-in-the-middle-attack by intercepting the traffic between the user and the web application, or by monitoring network traffic if the web application does not follow secure design principles.  The cookie could also be stolen from the local browser cache or the memory of running processes by malware that has been installed onto the target user’s computer.

Firefox, for example, stores all the cookies in a local SQLite database which can be accessed with a variety of hacker tools such as firefox_creds.

If the cookie acquired is a session cookie, then the attacker is able to inject that into their own session while accessing the web application using the developer tools built into their web browser.  On doing this, the web application will trust the session cookie and grant the attacker all the rights and access of the user who originally logged in to create the session.  This access will persist for as long as the session cookies are configured to remain valid as defined by the web application.

The migration to cloud based environments means that targets valuable to criminals such as file and database servers are no longer present on the main network in many organisations.  As a result, attackers that have infiltrated a network are prioritising the search for session cookies that grant access to cloud environment management consoles. Capturing the session cookie for a user with administrator access to the AWS or Azure management console potentially gives the attackers full control over the whole cloud environment. The attackers could then grant themselves persistent access, install ransomware on any server or even shut down servers and lock out the organisation’s own support staff.

Mitigating Pass-The-Cookie Attacks

Developers of web applications can take steps to make their applications more resilient to pass-the-cookie attacks.  This could include:

• Reducing the lifetime of session cookies so they expire more quickly thereby reducing the window of opportunity to steal and make use of them.
• Use additional meta-data to invalidate the session such as unexpected source IP or time of day of access. In this scenario a stolen session cookie would not be considered valid by the web application if the source IP address it is sent from changes during the life of the session as this could indicate the cookie has moved from a legitimate user onto the system of an attacker.
• Require Client-Side certificates. With a small number of users, client-side certificates make pass-the-cookie attacks more challenging as the attacker would need to obtain a copy of the certificate as well as the session cookie. However, with larger user populations client side certificates can prove to be a logistical and administrative nightmare and so may not be viable for some systems.

To avoid pass-the-cookie attacks being used to pivot to cloud infrastructures, good security hygiene is needed by the cloud administrators including:

• Access Cloud admin consoles using Incognito mode to reduce persistent cookie storage on desktop systems.
• Explicitly log off from Cloud admin consoles as soon as a task is completed and close the browser application completely to force the deletion of session cookies.
• Regularly monitor user access logs for the cloud environment to identify unusual access patterns.
• Create multiple user accounts with different access permissions based on the least privilege principle – this can limit the utility and value of stolen session cookies.

In many cases, the session cookie is stolen from the endpoint running the browser that is accessing the target web application.  In other words, these pass-the-cookie attacks are post-infiltration attacks – and preventing the attackers from getting into your network in the first place is the most effective mitigation:

• Ensure your network is robustly designed and configured through penetration testing
• Educate staff to spot phishing emails through Security Awareness Training
• Reduce the vulnerable attack surface of your systems through server hardening