What is Pass-The-Cookie Website Exploitation?

Written By Hannah Golding

What is a Website Vulnerability?

An attacker will first discover a vulnerability, then attempt to exploit it to gain a foothold within the host. Most commonly, vulnerabilities exist due to outdated software on the web application, such as the webserver, however, web applications can have their own issues due to problems in the coding and configuration of the application itself. 

The most common security risks for web applications include:

  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities (XXE)
  5. Broken Access Control
  6. Security Misconfiguration
  7. Cross-Site Scripting XSS
  8. Insecure Deserialization
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging & Monitoring


What is Website Exploitation? 

Website exploitation is a common way of attacking websites. Approximately 90% of reported data breaches find that an exploit is used at one or more points in the attack chain. 

Exploitation is the next step an attacker can take after finding a vulnerability. This is the means through which a vulnerability can be leveraged for malicious activity by hackers; these include pieces of software, sequences of commands, or even open-source exploit kits.

What is a Session Cookie?

Cookies are data that is stored in the temporary memory, or ‘cache’, of a web browser and is sent back to the same website that created them. 

Every browser independently holds its own cookie storage database – for example, cookies saved by a browser that has been accessed using Chrome, are not visible to Firefox. 

By opening a private browsing window, user’s would be providing that window with a new, empty and temporary cookie database. Opening multiple tabs in the same window will also result in the share of the same cookie database. Thus, a session cookie is simply a cookie storing information used by the web application to manage the current user’s session, whether in one, two or more tabs.

Session cookies are generated by the web application after a user has logged in successfully, meaning the cookie confirms that the user’s ID and password are valid, and the user has passed any multi-factor authentication (MFA) challenges, such as submitting a one-time password or using a dongle.

A copy of the session cookie is included when a web application receives a request from a browser and in turn, the web application can validate the session cookie and use it to authorise the request. 

Such cookies are used for convenience after a user is authenticated to the service so that users don’t need to repeatedly re-authenticate often. However, this does mean the session cookies are valid for some time (between a few minutes or hours depending on the web application), which can leave room for hackers to steal a copy of a user’s session cookie – also known as a ‘pass-the-cookie’ attack. 

How Does a Pass-the-Cookie Attack Work?

In such an attack, the perpetrator can inject the web application with malicious script which enables the user’s session cookies to be stolen. For each visit to the site, the malicious script is activated and more data is taken.

The user’s cookies are then imported into a browser that the perpetrator controls, meaning they can use the site as the user for as long as the cookie remains active. This gives the perpetrator the potential to move around laterally, accessing sensitive information and performing actions on the victim’s account. 

How to Mitigate Pass-the-Cookie Attacks

The only way to near-enough eradicate the risk of a pass-the-cookie attack is by forcing the user to reauthenticate more frequently for different web application functionality. However, this would diminish the user experience.

Luckily, with plenty of easy mitigation methods available, the likelihood of a pass-the-cookie attack occurring can be reduced.

By simply logging off the web application and closing the browser after you finish using it, can significantly lower the risk of an attack. Many users never log-off, which increases the threat.

Regular testing for pass-the-cookie attacks, as part of your application and architecture-based security review and assessments, can also help reduce the probability of an attack taking place. This can help spot vulnerabilities where script injection could be enabled.

Increasing awareness of pass-the-cookie attacks, through methods such as better user training in cookie management specifically, can also help reduce the risk of an attack occurring.

Nevertheless, effective mitigation largely depends on having the appropriate internal security cultures in place. Maintaining security consciousness within an organization or as an individual is critical for identifying and responding to security threats, as well as following security processes. Being aware of your security posture is crucial to discover and fix apparent vulnerabilities.

To find out more about Risk Management services and how CyberClan can help to mitigate the risk of Pass-the-Cookie attacks on your business, please contact the Risk management team here: Email: info@cyberclan.com US/CAD: 1855 685 5785 UK: 0800 048 7360

Knowledge Base

The Uber Hack – what went wrong and how bad is it?

Written by Mikel Pearce On September 15, Uber revealed that it was responding to a “cybersecurity incident”. Over the past ...

Read More +

Combating cyber security threats in educational institutions

Written by Natalie Trotter Cyber-attacks within educational institutions have been growing in frequency over the years and COVI...

Read More +

Cyber Exclusions and Nation State Actors – Burden of Proof Issues?

By Mikel Pearce In a recent Market Bulletin dated 16 August 2022 [1], Lloyd’s has set out its requirement that any standalone...

Read More +
CyberClan CyberClan CyberClan CyberClan