To prevent cookie theft, have cyber defense baked in. With progressive web apps (PWA) and other relatively new protective efforts in place, how can you be sure you’re defending against today’s attackers? Here’s what enterprise needs to know about the rumbling threat of pass-the-cookie attacks, how current cloud and mobile frameworks like PWAs can empower these attacks, and what security teams can do to help reduce total risk.

Beyond Multifactor Authentication

MFA solutions are now table stakes for companies looking to secure in-office and at-home networks at the same time. By pairing multifactor authentication (MFA) with intelligent identity and access management (IAM) tools, companies can request more verification from users as needed to ensure their identity. This is critical in a world underpinned by robust remote work. Enterprises need to ensure that users accessing critical services are exactly who they say they are, every single time.

But threat actors aren’t about to be deterred by MFA. Instead, they’ve developed ways to bypass it using ‘pass-the-cookie’ attacks, using progressive web apps (PWAs) to mimic real users. These allow them to gain network access without the need for MFA verification. The risk of not having MFA is still real, but we also need to think a step beyond it.

What Security Risks Are Associated With Cookies?

Cookies remain a critical component of online life. And while companies are now obliged to be more transparent about cookie collection and consumption, another problem remains. If attackers can get their hands on post-MFA cookies, they may be able to bypass further attempts and gain full access to enterprise networks. This is the crux of cookie hijacking, also known as session hijacking.

In practice, cookie hijacking relies on the stateless nature of HTTP. This means it naturally separates each operational request — such as users looking for access to a corporate network, bank account or e-commerce account — into separate processes. As a result, web-based apps can’t ‘remember’ users. Using only HTTP would be extremely frustrating, with login and password details required for every task.

Sessions help solve this problem by providing a cohesive marker that covers a series of interactions between two devices. When the session ends, its relevant details are deleted to help ensure other users can’t gain access. The problem? If attackers are able to hijack sessions while they’re running, they may able to steal key session details — or cookies — that can then be used to disguise themselves as authorized users and carry out specific actions.

MFA and Beyond

MFA, meanwhile, provides a way to verify users before a session begins. Consider a corporate user logging into their privileged business account. Robust MFA tools may require them to provide one-time text codes or biometric data along with login and password details to prove who they are and grant access to high-level IT services or tasks. What MFA can’t prevent, however, is session hijacking. If attackers are able to eavesdrop on user sessions and obtain cookie data, they can use that to open a new browser session that’s already verified, in turn bypassing any MFA checkpoints.

This is becoming a bigger problem as more companies leverage MFA solutions as sure-fire gatekeepers for user access. If hijacking happens behind the scenes, compromised cookies may go unnoticed because session IDs show users as verified, in turn giving attackers more time to exploit network operations.

But does this have to be the way the cookie crumbles?

Living off the Land

To starve attackers of potential cookie paydays, it’s critical for companies to see the common risk factors that come with session stealing. That’s because these threats exist as part of the broader classification of living off the land (LotL) attacks — compromise vectors that leverage trusted infrastructure and services to infiltrate corporate networks. These LotL efforts are paradoxical. As enterprises get better at detecting and defeating common attack vectors, attackers turn to mission-critical processes to work their way behind corporate lines and establish persistent operations.

The most well-known LotL attacks take the form of fileless malware that use popular tools, such as PowerShell to infiltrate enterprise systems without being detected and gain unfettered network access. Cookies comprise another type of LotL attack that is less common but no less damaging. By hijacking session information and repurposing it in a new browser session, malicious actors can bypass some of the strongest defensive measures currently available to enterprise.

Even worse? Because MFA is often seen as the gold standard of user-based defense, supposedly validated users leveraging stolen cookies aren’t seen as potential threats until they start taking big bites out of IT operations — and leaving a trail of crumbs in their wake.

Unpacking New Cookie Concerns

Although any HTTP session has the potential to create cookie compromise, several factors have conspired to increase this risk at scale.

First up? The rapid rise of remote work, which has in turn prompted massive adoption of cloud-based and mobile services. Those rely on cookies to help streamline identity operations and reduce functional friction.

IT teams focus on managing the sudden shift away from in-office efforts to home-based networks and preparing for the hybrid future of enterprise staffing. Meanwhile, attackers gain a dual advantage. There are more cookies to go around and fewer people watching the jar. This is becoming more of a problem as personal devices become the de facto standard for privileged access both at home and in the office. It creates an issue for many companies that offer limited resources for monitoring and control.

Single-sign on (SSO) services also play a role. While these solutions offer a streamlined way for users to access key network services and apps, anytime, anywhere, they also pose a risk. While emerging SSO solutions can gate access based on additional, behavioral information to reduce friction — in effect allowing users to bypass key authentication checks if they’re consistently logging in from the same device at the same time every day — they also open the door to cookie concerns. Attackers may be able to hijack SSO sessions and disguise themselves as honest users on corporate networks.

What Are Progressive Web Apps?

There is, however, an even bigger factor when it comes to cookie compromise: progressive web apps, or PWAs.

They’re different from native mobile apps built using device-specific programming languages. Instead, PWAs use common web technologies such as HTML, CSS or JavaScript. They effectively turn websites into web applications that offer nearly identical functions to their native counterparts. In addition, the ‘progressive’ nature of these apps means they can be downloaded and installed as apps on mobile devices that mimic their webpage counterparts. For users and developers, PWAs offer a streamlined way to design and deploy in-demand features and services without the need to code multiple apps for multiple devices.

These apps offer the additional benefit of bridging the gap between online and offline functionality. While online, PWAs grab real-time information from their connected web service, but also function offline by using locally cached information stored on mobile devices. It’s no surprise, then, that PWA development and deployment ramps up as companies look to take advantage of their dual-track nature while reducing the time and resources required to create these connected apps at the same time.

The Problem With Progressive Web Apps

On the other hand, progressive web apps also pose a risk. If users don’t actively log out of browser sessions and instead simply close the progressive web application they’re using, the sessions don’t automatically end. In most cases, servers specify time to closure, opening a window of opportunity for attackers to sneak in, grab cookies and start chewing their way through any connected services until they’ve accomplished their aims or the session times out.

There is a silver lining here, since cookie data can’t be kept for persistent access once sessions have timed out. But there’s nothing to stop session-hijacking threat actors from deploying back doors or other persistent threats that will grant them a more permanent network presence.

Put simply? As progressive web apps ramp up, the ways to avoid MFA increase.

Keeping Cookies Safe, Progressive Web Apps or Not

To keep cookies out of the hands of cyberattackers, it’s now critical for companies to dish up defenses. These can include:

HTTPS Cookies Only

While many enterprises now use HTTPS on login pages to prevent potential eavesdropping attacks, this isn’t enough to prevent cookie hijacking. Using HTTPS across all websites, services and PWAs instead helps expand protection to session keys and reduce the risk of cookie-jacking attacks. Using the secure cookie flag on any application server, which tells the browser to only send cookie data over HTTPS, also helps prevent plaintext eavesdropping of session details.

Improved Storage Architecture

To reduce the time between request and response and improve the performance of PWAs, the use of HTML web storage is common. The problem? HTML cookie storage streamlines the attack process for cookie stealers looking to copy session access, while web storage at scale remains vulnerable to cross-site scripting (XSS) attacks. To limit the chance of cookie compromise, we recommend skipping web storage in favor of secure, local solutions.

Advanced RASP Solutions

Runtime application self-protection (RASP) solutions live within the runtime code of the application they’re protecting. That gives them a birds-eye view of every user request and function call made by the program. While advanced RASP options don’t eliminate the risks of cookie-jacking if attackers can eavesdrop on user sessions, they can identify odd application behavior resulting from cookie theft and take action to close the session, in turn reducing the amount of time malicious users have access.

Extensible IAM Services

Last but not least? Comprehensive IAM services. Much like MFA, these tools aren’t enough in isolation to defend applications at scale. When layered with complementary solutions such as RASP and HTTPS, however, IAM solutions can help mitigate overall risk.

Here, it’s critical for companies to choose IAM services that extend beyond local stacks. You need to cover cloud-based applications and services, especially as the number of PWAs ramps up.

Progressive Web Apps and Other Defenses

Bottom line? Cookie hijacking remains a critical concern for companies — and poses increasing risk in a world of evolving remote work initiatives and expanding deployment of progressive web apps. MFA alone isn’t enough to combat these cookie thieves. If they can get behind session lines they can hijack cookie data, masquerade as authenticated users and compromise critical IT functions.

Combine strong MFA, comprehensive HTTPS, protected storage architecture, advanced RASP tools and extensible IAM frameworks for multi-layered coverage. The solution to cookie insecurity is baking in better defense with a layered approach.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today