How To Protect Your Online Applications From Pass-the-Cookie Cyber Attacks

How To Protect Your Online Applications From Pass-the-Cookie Cyber Attacks

Learn how to protect your online applications from pass-the-cookie cyber attacks. The analysis concluded that cyber threat actors involved in cloud service attacks use a variety of tactics and techniques including phishing. How to strengthen your online apps against cloud service attacks such as ‘pass-the-cookie’ attacks.

Very recently, the Cybersecurity & Infrastructure Security Agency (CISA) published an analysis report ( AR21-013A) on strengthening security configurations to defend against attackers targeting cloud services. The analysis concluded that cyber threat actors involved in cloud service attacks use a variety of tactics and techniques including phishing, brute force login attacks, and possible ‘pass-the-cookie’ attacks.

CISA reported they verified that threat actors successfully signed into one user’s account with proper multi-factor authentication (MFA) and in that case, CISA believes the threat actors may have used browser cookies to defeat MFA with a “pass-the-cookie” attack (Use Alternate Authentication Material: Web Session Cookie [ T1550.004]). This part raised a few questions on the effectiveness of multi-factor authentication (MFA) and if MFA is still fit for the purpose.

Web applications are typically off-line applications, meaning that the client-side of the application will contact the server-side or service whenever it needs an update unless the client-side has logic to act locally on events or data stored on the client such as is the case with Progressive Web Applications (PWA).

What is a Progressive Web Application?

A PWA is a type of application software delivered through the web, built using common web technologies just as HTML, CSS, and JavaScript. It is intended to work on any platform that uses a standards-compliant browser, including both desktop and mobile devices.

A PWA is a single-page web application that can be installed and can run offline on any device that has a compliant browser. The application can access local storage, mobile device sensors, provide support for push notifications, etc. A PWA is much like an online application that provides real-time information from its web service when online but can work with locally cached information when offline and it looks and behaves like a native application.

A PWA does not require proprietary app stores to be delivered and installed; installation is simply done through the web browser. It can run on any platform that has a compliant browser and uses the browser’s run-time, meaning that it can run on Windows, macOS, Chrome, iOS, iPadOS, Android, Linux, etc.

PWAs extensively rely on the browser’s JavaScript engine and used to be written exclusively in JavaScript. Not everyone is a fan of JavaScript which resulted in JavaScript transpilers allowing developers to write complex client-side applications in Scala, Dart, CoffeeScript, Groovy, Lua, and others. No need for cross-compiling or rebuilding the application; in the case of a transpiled application, there is a translation step needed, but the application will run natively on all platforms with a standards-compliant browser.

cybersecurity cyber-security webassembly web-api

What is Geek Coin

What is GeekCash, Geek Token

Best Visual Studio Code Themes of 2021

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Top 10 API Security Threats Every API Team Should Know

Learn what are the most important API security threats engineering leaders should be aware of and steps you can take to prevent them

API Security Weekly: Issue #101

After the special 100th edition last week, which was all about API security advice from the industry’s thought leaders, this week we are back to our regular API security news, and we have twice the number of them, from the past two weeks.

What are the top Cyber Security Threats in 2020?

Learn Cyber Defense programming by Cyber Security Training. Know how to stop tactics of ransomware, malware, social engineering, phishing by hacking course.

API Security Weekly: Issue #104

This week, see recent API-related vulnerabilities at Twitter and Grandstream Networks, the newly added support for mutual TLS (mTLS) in AWS API Gateway, and more.

API Security Weekly: Issue #90

This week, see how Twitter API erroneously allowed browsers to cache sensitive data and how skimmers have found a way to use Google Analytics APIs to get their hands on credit card data.