Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)
Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through Steal Web Session Cookie or Web Cookies, the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.
There have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| UEM-05 | Endpoint Management | mitigates | T1550.004 | Web Session Cookie |
Comments
This control provides for the implementation of best practices for endpoint management. Configuring applications to delete persistent web cookies to help mitigate the risk of adversaries using stolen session cookies.
References
|
| DSP-08 | Data Privacy by Design and Default | mitigates | T1550.004 | Web Session Cookie |
Comments
Privacy by design and default is emphasized in this control, integrating privacy measures at every stage of the SDLC and across all components. This includes implementing controls for encrypting sensitive information to ensure the confidentiality and integrity of data, preventing unauthorized access or tampering. For this technique, configure browsers or tasks to regularly delete persistent cookies to prevent the adversaries form using stolen session cookies to authenticate to web applications and services as legitmate users.
References
|
| UEM-14 | Third-Party Endpoint Security Posture | mitigates | T1550.004 | Web Session Cookie |
Comments
This control provides for the implementation of best practices for third-party endpoint management. Configuring applications to delete persistent web cookies to help mitigate the risk of adversaries using stolen session cookies.
References
|
| AIS-05 | Automated Application Security Testing | mitigates | T1550.004 | Web Session Cookie |
Comments
The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. Adversaries can use stolen session cookies to authenticate to web applications and services. Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently.
References
|
| AIS-02 | Application Security Baseline Requirements | mitigates | T1550.004 | Web Session Cookie |
Comments
This control guidance requires organizations to establish security baseline requirements for different cloud applications. Security requirement examples include access control, encryption, and configuration management for applications. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access. Access control and permissions can be mitigations to limit and restrict acceptable users granted to access web applications and services.
References
|