Industry Insights with Jed Mitten

Anti-Phishing, DMARC , Cybercrime , Data Loss Prevention (DLP)

A Deep Dive into SaaS Session Hijacking

Covering the Technical Aspects of a Session Hijacking Attack
A Deep Dive into SaaS Session Hijacking

In a previous blog, we introduced the growing threat of session hijacking and explained how dangerous and discrete these attacks can be. Today, we’ll walk through a demonstration of SaaS session hijacking in detail. Our objective is not only to explain the fundamentals of the attack, but also to show how easily a targeted user might be overlooked and highlight how we detect token compromise across SaaS.

See Also: Live Webinar | Special Delivery! Defending and Investigating Advanced Intrusions on Secure Email Gateways

Techniques such as malware and phishing via a man-in-the-middle (MITM) attack allow attackers to bypass login credentials and MFA to assume direct control of an existing session. CrowdStrike, an Obsidian partner, revealed that such techniques were used during the SolarWinds intrusion in one of the biggest nation-state attacks of all time.

Today, we’ll look in depth at the technical aspects of a session hijacking attack:

  • The ease of setting up a MITM attack using a reverse HTTP proxy and common compute infrastructure
  • What the attack looks like
  • How to detect and investigate such an attack

Successfully hijacking a session token grants an attacker access to all authorized resources, a wealth of sensitive information, and even administrative permissions granted to the user—along with an opportunity for lateral movement across applications. These devastating outcomes underscore the importance of understanding, identifying, and mitigating session hijacking in your organization.

The Setup

One simple approach to set up a MITM attack is to use the architecture shown below:

In this scenario, the user is properly accessing their Microsoft service portal using Azure Active Directory as their identity provider (IDP) and has MFA enabled to protect against compromised login credentials. To get into the middle of this process, the attacker will attempt to insert themselves between the user and IDP.

To demonstrate the attack, our team uses the Evilginx2 reverse proxy tool to intercept session cookies and the EditThisCookie2 Firefox extension to quickly reuse them without reformatting.

The Switcheroo

In a basic MITM scenario, the attacker develops a convincing phishing message to lure the user into clicking a malicious link. Here, the Microsoft user is fooled by a phishing email leading to a login screen that appears legitimate—except traffic is proxied through evilginx2.

Because the proxy relays traffic between the user and server, the user can successfully authenticate and have access to any applications using Microsoft as an IDP. To their eyes, it’s business as usual.

The attacker intercepts a number of sensitive details, including the user’s IP address, user agent string, credentials, and most importantly, the session token. This allows the attacker to authenticate into the user session without ever needing login credentials or an MFA token. In this demonstration, the attacker opens Firefox with the EditThisCookie2 extension installed, grabs the session tokens from the MITM server, navigates to the login portal, and authenticates into the session. From there, the sky’s the limit.

The Wrap-Up

This is a simplistic demonstration of SaaS session hijacking using MITM. Our team has demonstrated these techniques successfully in a number of enterprise environments where various IDP and MFA security measures were enabled. In the wild, session hijacking attacks are typically far more sophisticated than our simulation and part of a complex campaign, as evidenced in the aforementioned Crowdstrike research. SaaS session hijacking is often executed discreetly. It’s difficult to detect because attackers reuse legitimate tokens and can establish persistence in connected applications.

Obsidian uses machine learning to identify cases of session hijacking, enabling security teams to mitigate these potentially devastating attacks promptly while simultaneously helping them harden the security posture of their SaaS environment. Our security researchers and detection engineers work collaboratively on a wide variety of account compromise scenarios and the models needed to thwart them. The Obsidian platform identifies suspicious activity across various SaaS services, including session hijacking, to enable your security team to quickly and confidently respond to threats.

About the Author

Jed Mitten

Jed Mitten

Senior Security Researcher, Obsidian Security

Jed Mitten is a senior security researcher with Obsidian Security and focuses on turning threat data into threat intelligence. His specialities include cyber threat research, application pen-testing, incident responses and digital forensics. Prior to Obsidian he was a Staff Threat Indication Engineer with FireEye and a Principal Consultant at Mandiant. Jed holds a Master Degree in Information Security Technology and Management from Carnegie Mellon University and a BS in Computer Science from San Diego State University.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.