Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.
Adversaries may generate these cookies in order to gain access to web resources. This differs from Steal Web Session Cookie and other similar behaviors in that the cookies are new and forged by the adversary, rather than stolen or intercepted from legitimate users. Most common web applications have standardized and documented cookie values that can be generated using provided tools or interfaces.(Citation: Pass The Cookie) The generation of web cookies often requires secret values, such as passwords, Private Keys, or other cryptographic seed values.
Once forged, adversaries may use these web cookies to access resources (Web Session Cookie), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Volexity SolarWinds)(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| UEM-05 | Endpoint Management | mitigates | T1606.001 | Web Cookies |
Comments
This control provides for the implementation of best practices for endpoint management. Configuring applications to delete persistent web credentials and limiting privileges can help mitigate the risk of adversaries generating and using forged web cookies.
References
|
| UEM-14 | Third-Party Endpoint Security Posture | mitigates | T1606.001 | Web Cookies |
Comments
This control provides for the implementation of best practices for third-party endpoint management. Configuring applications to delete persistent web credentials and limiting privileges can help mitigate the risk of adversaries generating and using forged web cookies.
References
|
| AIS-04 | Secure Application Design and Development | mitigates | T1606.001 | Web Cookies |
Comments
This control requires both Cloud Service Providers and customers to implement a Secure Software Development Lifecycle (SSDLC) with security practices throughout the entire application development process to protect cloud-based applications from cyber threats.
References
|
| AIS-05 | Automated Application Security Testing | mitigates | T1606.001 | Web Cookies |
Comments
The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.
References
|