Stealing Web Session Cookies to Bypass MFA (Credential Access)

preview_player
Показать описание
In this video we'll be exploring how to attack, detect and defend against the theft of session cookies. A session token acts like a temporary password, meaning this technique can be used by an attacker to gain access to applications by bypassing the logon process altogether - including any multi-factor authentication steps.

If you find the video useful please do give it a like, and consider subscribing if you want more of this sort of content. Drop a note in the comments if there’s anything you think I missed, or if you have a good idea of what topic I should cover next.

Further reading/watching:

Audio Credits (licensed under CC0):

Timestamps:
0:00 Intro
1:43 Attack
3:38 Detect
6:08 Defend
  1. Attack Detect Defend (rot169)
Рекомендации по теме
Stealing Web Session 0:08:50

Stealing Web Session Cookies to Bypass MFA (Credential Access)

Exploit Cross-Site Scripting(XSS) 0:05:08

Exploit Cross-Site Scripting(XSS) To Capture Cookies

Session Hijacking Attack 0:14:04

Session Hijacking Attack | Session ID and Cookie Stealing | SideJacking

Cookie Stealing - 0:16:12

Cookie Stealing - Computerphile

How Hackers Hijack 0:09:01

How Hackers Hijack Your Cookies? Use HttpOnly!

Difference between cookies, 0:11:53

Difference between cookies, session and tokens

Web App Pentesting 0:34:31

Web App Pentesting - HTTP Cookies & Sessions

Account Stolen With 0:09:56

Account Stolen With 2FA Turned On?! Protect Your Cookies!

How Hackers Use 0:11:51

How Hackers Use Stored Cross Site Scripting (XSS) to Steal Session Cookies (and how to mitigate it)

Stealing an O365 0:06:36

Stealing an O365 cookie from Edge to 'bypass' authentication and 2FA [with commentary]

Stealing Cookies Using 0:09:34

Stealing Cookies Using XSS (Cross Site Scripting)

[DEMO] - Cookie 0:15:26

[DEMO] - Cookie Stealing & Session Hijacking via XSS/Cross Site Scripting !!

Exploiting Cross-site Scripting 0:18:45

Exploiting Cross-site Scripting to Steal Cookies Without Collaborator

Stealing an O365 0:02:13

Stealing an O365 cookie from Edge to 'bypass' authentication and 2FA

Stop using JSON 0:23:33

Stop using JSON Web Tokens. Use Cookies & Server Sessions instead

Session Hijack by 0:01:19

Session Hijack by stealing session id from cookies | Project Showcase

What Happens When 0:04:42

What Happens When You Click 'Accept All?'

Bug Bounty: XSS 0:09:58

Bug Bounty: XSS leads to Session Hijacking || Stealing Cookies || Performing Session Hijacking

Hacking Stay-Logged-In Cookies 0:11:21

Hacking Stay-Logged-In Cookies with Owasp Zap | HakByte

Demo: Session hijacking 0:15:04

Demo: Session hijacking using stolen cookies

Authentication on the 0:37:05

Authentication on the Web (Sessions, Cookies, JWT, localStorage, and more)

How to steal 0:03:09

How to steal password via XSS within 3 mins | Cookie stealing

044 Stealing Cookies 0:06:35

044 Stealing Cookies Session Hijacking

HttpOnly Flag In 0:06:46

HttpOnly Flag In Cookies | Use Of HttpOnly | HttpOnly Against Stealing Cookies | Why HttpOnly

Комментарии
Автор

Andy, Thanks a lot for making this video. The detailed explanation helped me understand more clearly. The idea of Attack, detect, defend is extraordinary. This is how we need to learn the security concepts(3D view). Please make more videos, you will soon reach good heights. All the best!!✌

pavansrivatsavakula
Автор

This video will help me test a two-factor authentication system for accessing servers and network equipment in an environment, thank you very much.

bernardesk
Автор

Thanks for the knowledge. Was looking for this explaination for a while now.

ehasaranga
Автор

Explained so well; this is some quality ass video.

Edit: subbed for sure

Nika
Автор

Great video. This helps me on MFA requirements.

ptsai
Автор

Great content.
Please do more videos in this series.

muralimohan
Автор

It would be nice if websites gave the user the ability to enable the mitigations as shown here, for instance I'd be mostly fine if I have to re-login on IP address changes. I'm a residential user, so yes my address does change, but not that often.
Actually that would be a lot less of a pain than the two factor authentication stuff being forced on me, as in their version with no options.

paulstubbs
Автор

Thanks for video, bro you are the best!!!

joelitle
Автор

I was speaking about this in theory with a more experienced hacker and they were skeptical that its possible. I told them mfa in some sites wont be sus of the new ip

DestoFlix
Автор

gud 1 Andy boy. i wonder why most web security channels are mostly by Americans.
what the heck r the other Brits doing ?
Im Indian and I need more Brit tutorials please

BlokeBritish
Автор

What if the website set a particular time for a session to end due to inactivity

impro
Автор

Hi Andy, Do we have something to store the physical address of machine? That can solve our issue as IP is a dynamic thing and can hackers can clone the IP or mac address too??

amanaggarwal
Автор

my brother, one big question I wanna ask you freely. For example in my webapp people sign up their accunt. After that from their cookie as a admin can i check beisde my webapp what other website like what other thing they are browsing from their browser? I am asking this question to see user perferense which will help us to show them their preferense ads based on their browser search history . how can I do this thing? Facebook is already being collecting our whole browsing data from cookie.

showbikshowmma
Автор

Andy, would it be secure, in this case, using a password manager + erase cookies in every session?

MrDavi
Автор

so would logging out of an account mean the session token will be different every time you log in? just clarifying cuz im a bit anxious abt one of my accounts 😭

tam
Автор

Hi, please, if we think the cookies get hacked, what we do? please, thanks

denverm
Автор

Why arnt local cookies stored encrypted?

-zerocool-
Автор

thank you soooo much i cookie logged on roblox and made 500 usd worth of

Grimzys
Автор

this help me hack my hacked account back

projectjinc.