- Home
- Techniques
- Enterprise
- Steal Web Session Cookie
Steal Web Session Cookie
An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.[1]
There are several examples of malware targeting cookies from web browsers on the local system.[2][3] There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a man-in-the-middle proxy that can be set up by an adversary and used in phishing campaigns.[4][5]
After an adversary acquires a valid cookie, they can then perform a Web Session Cookie technique to login to the corresponding web application.
Procedure Examples
Name | Description |
---|---|
CookieMiner |
CookieMiner can steal Google Chrome and Apple Safari browser cookies from the victim’s machine. [6] |
TajMahal |
TajMahal has the ability to steal web session cookies from Internet Explorer, Netscape Navigator, FireFox and RealNetworks applications.[2] |
Mitigations
Mitigation | Description |
---|---|
Multi-factor Authentication |
A physical second factor key that uses the target login domain as part of the negotiation protocol will prevent session cookie theft through proxy methods.[7] |
Software Configuration |
Configure browsers or tasks to regularly delete persistent cookies. |
User Training |
Train users to identify aspects of phishing attempts where they're asked to enter credentials into a site that has the incorrect domain for the application they are logging into. |
Detection
Monitor for attempts to access files and repositories on a local system that are used to store browser session cookies. Monitor for attempts by programs to inject into or dump browser process memory.
References
- Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.
- GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
- Chen, Y., Hu, W., Xu, Z., et. al.. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019.
- Gretzky, Kuba. (2019, April 10). Retrieved October 8, 2019.
- Orrù, M., Trotta, G.. (2019, September 11). Muraena. Retrieved October 14, 2019.
- Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
- Gretzky, K.. (2018, July 26). Evilginx 2 - Next Generation of Phishing 2FA Tokens. Retrieved October 14, 2019.