A Deep Dive into SaaS Session HijackingCovering the Technical Aspects of a Session Hijacking Attack
In a previous blog, we introduced the growing threat of session hijacking and explained how dangerous and discrete these attacks can be. Today, we’ll walk through a demonstration of SaaS session hijacking in detail. Our objective is not only to explain the fundamentals of the attack, but also to show how easily a targeted user might be overlooked and highlight how we detect token compromise across SaaS.
Techniques such as malware and phishing via a man-in-the-middle (MITM) attack allow attackers to bypass login credentials and MFA to assume direct control of an existing session. CrowdStrike, an Obsidian partner, revealed that such techniques were used during the SolarWinds intrusion in one of the biggest nation-state attacks of all time.
"These devastating outcomes underscore the importance of understanding, identifying, and mitigating session hijacking in your organization."
Today, we’ll look in depth at the technical aspects of a session hijacking attack:
- The ease of setting up a MITM attack using a reverse HTTP proxy and common compute infrastructure
- What the attack looks like
- How to detect and investigate such an attack
Successfully hijacking a session token grants an attacker access to all authorized resources, a wealth of sensitive information, and even administrative permissions granted to the user—along with an opportunity for lateral movement across applications. These devastating outcomes underscore the importance of understanding, identifying, and mitigating session hijacking in your organization.
One simple approach to set up a MITM attack is to use the architecture shown below:
In this scenario, the user is properly accessing their Microsoft service portal using Azure Active Directory as their identity provider (IDP) and has MFA enabled to protect against compromised login credentials. To get into the middle of this process, the attacker will attempt to insert themselves between the user and IDP.
To demonstrate the attack, our team uses the Evilginx2 reverse proxy tool to intercept session cookies and the EditThisCookie2 Firefox extension to quickly reuse them without reformatting.
In a basic MITM scenario, the attacker develops a convincing phishing message to lure the user into clicking a malicious link. Here, the Microsoft user is fooled by a phishing email leading to a login screen that appears legitimate—except traffic is proxied through evilginx2.
Because the proxy relays traffic between the user and server, the user can successfully authenticate and have access to any applications using Microsoft as an IDP. To their eyes, it’s business as usual.
The attacker intercepts a number of sensitive details, including the user’s IP address, user agent string, credentials, and most importantly, the session token. This allows the attacker to authenticate into the user session without ever needing login credentials or an MFA token. In this demonstration, the attacker opens Firefox with the EditThisCookie2 extension installed, grabs the session tokens from the MITM server, navigates to the login portal, and authenticates into the session. From there, the sky’s the limit.
This is a simplistic demonstration of SaaS session hijacking using MITM. Our team has demonstrated these techniques successfully in a number of enterprise environments where various IDP and MFA security measures were enabled. In the wild, session hijacking attacks are typically far more sophisticated than our simulation and part of a complex campaign, as evidenced in the aforementioned Crowdstrike research. SaaS session hijacking is often executed discreetly. It’s difficult to detect because attackers reuse legitimate tokens and can establish persistence in connected applications.
Obsidian uses machine learning to identify cases of session hijacking, enabling security teams to mitigate these potentially devastating attacks promptly while simultaneously helping them harden the security posture of their SaaS environment. Our security researchers and detection engineers work collaboratively on a wide variety of account compromise scenarios and the models needed to thwart them. The Obsidian platform identifies suspicious activity across various SaaS services, including session hijacking, to enable your security team to quickly and confidently respond to threats.