Learn how to protect your online applications from pass-the-cookie cyber attacks. The analysis concluded that cyber threat actors involved in cloud service attacks use a variety of tactics and techniques including phishing. How to strengthen your online apps against cloud service attacks such as ‘pass-the-cookie’ attacks.
Very recently, the Cybersecurity & Infrastructure Security Agency (CISA) published an analysis report ( AR21-013A) on strengthening security configurations to defend against attackers targeting cloud services. The analysis concluded that cyber threat actors involved in cloud service attacks use a variety of tactics and techniques including phishing, brute force login attacks, and possible ‘pass-the-cookie’ attacks.
CISA reported they verified that threat actors successfully signed into one user’s account with proper multi-factor authentication (MFA) and in that case, CISA believes the threat actors may have used browser cookies to defeat MFA with a “pass-the-cookie” attack (Use Alternate Authentication Material: Web Session Cookie [ T1550.004]). This part raised a few questions on the effectiveness of multi-factor authentication (MFA) and if MFA is still fit for the purpose.
Web applications are typically off-line applications, meaning that the client-side of the application will contact the server-side or service whenever it needs an update unless the client-side has logic to act locally on events or data stored on the client such as is the case with Progressive Web Applications (PWA).
A PWA is a single-page web application that can be installed and can run offline on any device that has a compliant browser. The application can access local storage, mobile device sensors, provide support for push notifications, etc. A PWA is much like an online application that provides real-time information from its web service when online but can work with locally cached information when offline and it looks and behaves like a native application.
A PWA does not require proprietary app stores to be delivered and installed; installation is simply done through the web browser. It can run on any platform that has a compliant browser and uses the browser’s run-time, meaning that it can run on Windows, macOS, Chrome, iOS, iPadOS, Android, Linux, etc.
Learn what are the most important API security threats engineering leaders should be aware of and steps you can take to prevent them
After the special 100th edition last week, which was all about API security advice from the industry’s thought leaders, this week we are back to our regular API security news, and we have twice the number of them, from the past two weeks.
Learn Cyber Defense programming by Cyber Security Training. Know how to stop tactics of ransomware, malware, social engineering, phishing by hacking course.
This week, see recent API-related vulnerabilities at Twitter and Grandstream Networks, the newly added support for mutual TLS (mTLS) in AWS API Gateway, and more.
This week, see how Twitter API erroneously allowed browsers to cache sensitive data and how skimmers have found a way to use Google Analytics APIs to get their hands on credit card data.