hello and welcome to another application of the minor attack framework discussion today. We're going to be looking at still Web session cookie as it's listed in minor or stealing Web session cookies. So the objectives for today are as follows.
We're going to describe what steel Web session cookie is with respect to that vector in the matter of tech framework,
some mitigation techniques and some detection techniques. So let's go ahead and jump right in
so still. Web session Cookie is a Web application or service session. Cookie can be used by a thread actor to gain access to the application or Internet service without needing to identify Kate.
Other places Cookies can be found on the disc in memory and in network traffic for sessions. And so that's why a lot of times you hear about things like Burke
Sweet and other tools being used to a proxy in between something or do like a man in the middle and capture cookie information. *** session cookies can be used to bypass some multi factor authentication protocols, so that's a good note to have.
Now there is an open source framework. In this case, we're just looking at one, but there are a number of other ones, but we're just gonna talk about evil jinx to in this case. And so this is a standalone man in the middle attack framework used for fishing long and credentials along with session cookies. And so there are a number of other ones out there.
But essentially, there are ways in which threat actors can
deceive an end user from making a connection to a bad site, or essentially putting something up again between the site, the legitimate site and the user to scrape credentials and get session information.
Now some mitigation techniques here. A physical sector second factor key that uses the target log in domain as part of the negotiation protocol will prevent session cookie there through proxy methods. Force browsers to delete persistent cookies and then end user training to look for fishing and other credential gathering techniques is big here as well.
I've seen a number of systems like office 365
that has some functions where if you are in one state and you magically log in in another state or China or out of the country, it will scratch a Ted and tell you that this cannot be possible. You cannot be in two places at once, and it will not allow the log in to occur
now. Some detection techniques We can look for repository access on local systems used to, uh, store browser, cookie session session cookies. And so, like in chrome, your users user name, app data. Local Google Chrome user data default is a location for cookies
and then in Mozilla cookies are all stored in the cookies. Don Sq, a light file
monitor for attempts to inject into or dump browser process memory. So whether we're looking in these areas for access for manipulation as faras against thes particular browsers, or if we're looking for attempts to skim cookies out of memory or out of browser information,
those are all great ways to kind of detect when a threat actor maybe doing something various.
So let's do a quick check on learning. True or false. Still in Web session, cookies in some cases will allow the threat actor to bypass multi factor authentication.
All right, well, if you need more time, please pause the video. So in this case, this is a true statement. There are some cases were stilling Web session cookies will allow a threat actor to bypass multi factor authentication, so that is a true statement.
Summary. So today summary is as followed. We described Web session cookie stealing and what that is so essentially you authenticate against the website and that threat actor is able to intercept that communication and still that token that cookie. And they can then use that to replicate the session and Morgan issue,
we reviewed some mitigation techniques. We talked about some detection techniques
Monitoring areas were cookie information is stored when there's a access, looking for scraping techniques and things that nature, as well as implementing dull factor in some cases, can help to mitigate