How Easy Are Session Tokens To Copy & How Do You Defend?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
foreign [Music] systems and with all the recent attacks and specifically the Lioness one that kind of triggered a lot of people asking about this what are session tokens and how easy are they to steal that's one of the things I want to demonstrate here I'm going to be doing this in Zen Orchestra because it's really easy to demonstrate how the logins work because they show the session tokens and there's only one token to manage but this works the same with really any site that has any persistent login Google specifically was the one used in the Linus incident where they use the Google account that's tied to the YouTube account because it just keeps you logged in but the login mechanism is the same across many many different Services think about all your major web services social media ones online shopping sites Etc this is really just a balance of security and convenience logging in every single time you go to a site is inconvenient therefore lots of these set these persistent tokens but let's just show you how easy it is to copy a token and set that session on there and then we'll talk about ways to defend against it all right we're going to start at the sign in page I have a Incognito browser window I'm using an internally hosted application I have called Zen Orchestra and what we want to do is press the magic hacker tool F12 and we want to make sure we're on application and we'll scroll down here to cookies and we'll see what cookies this particular site has for us we've got just a couple cookies in here and but none of them say token token is the one we're looking for in order to be logged in so we go over to bitwarden we're going to fill in my super secure password here hit sign in then we're going to type in my 2fa code and still see there's no token here now we have the token and now we're logged in and that token is right here we can just uh copy that we'll copy it to the clipboard real quick we see it says token and Zen Orchard has an option here if I go here to edit my sign in settings don't worry about my 2fa all this will be reset later because this is all just a demo and I can see these different tokens that I have here matter of fact this token right here I know matches this one matter of fact I could even switch if I want to put this token in but let's sign out and get rid of the token so we click sign out here and let's log back in but this time we're not going to use a new password Let's Pretend This is another browser double click here type the word token make sure you spell it right that matters what's the value we just pasted in the value here press enter now nothing appears to have happened because what we need to do now is paste in just a landing page inside this right now I'm on the sign in page let's just go to one of the logged in pages and that token works now what would break this token is going over to here matter of fact let's swap it out and show you that if we use this token instead so we'll copy that one and if we refresh the page we're still logged in we still have these tokens here but if we invalidate them if we delete this token delete this token we're still tied in with the session but those tokens have been invalidated so I can still go through here and see things but I if I let's just say refresh the page well I'm not signed in I try to go to any page that token has now been invalidated so it always keeps bouncing me back to sign up page even though this token exists this is the importance of these tokens is that's all they need not your user not your password and they can't derive necessarily your username password or anything from these tokens but they can log in and in some cases maybe from that they'll be able to do other things so let's talk about how to protect against this now there's not one thing you can do to protect against this but there's a few things you can do first keep your system and browser up to date this helps to mitigate any potential vulnerabilities in your system whether you're a Windows Mac or Linux it doesn't matter keep all of these up to date to help slow down or limit the amount of risk or exposure you have next is going to be practice principles of least privilege do this all the time do you need to be signed into everything where's that convenience for you versus security you have to decide for yourself but generally and this is even going a little further you don't always need to be signed into admin level accounts matter of fact some systems may have have like admin level versus more basic level especially with the security systems we deal with I have admin things Tom does but Tom doesn't do admin things all the time so I don't stay logged into any type of admin account I try to do everything the minimal and only give myself the permissions I need to get the things I need done on a regular basis and then I will Elevate or log into those other sites as needed and make sure I log out matter of fact I frequently pop open incognito Windows just to do those logins and yeah that's one of my favorite uses frankcognito Windows to log into something as privileged to get something minor done and then just close it and I know those session tokens are destroyed be very wary of browser plugins this is an attack surface that not everyone's always thinking about but definitely could be bigger in the future I know they're doing better jobs managing these with the Chrome and Firefox worlds of what browser plugins might be there but this can be scary because they have access a lot of them can I should say ask for permissions or get access to your cookies for good reasons but that also means they can be used for bad reasons so only put the ones you need in there email attachments are where a lot of this attack surface happens the email attachments especially when you get an email attachment with a password you should be incredibly suspicious of that's not normal and often a reason you get an email attachment with a password is not for security reasons because they usually put the password in the email it's so they can evade some of the detection systems because the detection systems aren't necessarily going to read the email find the password and email and assemble it therefore you're bypassing some of those scanners and hopefully that's the way they get in is what the threat actors often use these for call the person if you get an email attachment with a password ask them why they did that and if they said they didn't send it to you at least you know you've stopped something in the middle you can actually take your attachments if you want or files that you may find suspicious or questionable and upload them to virustotal this is actually good for really anything if you're grabbing something from a website that maybe you don't usually grab it from if you want to just run a Check against it upload a virus total and that's one more check that can be done that's absolutely free to see if it Flags anything in there it's not a guarantee because it wasn't flagged it's not a problem but it's one more layer that you can use in this defense in-depth strategy now you can go all the way to separate sandboxes I think that goes a little bit out of scope but you know having your email may be logged into a separate box and some of your critical things are logged into that could be an option as well something to consider as far as anti-virus and this comes up a lot I don't spend a lot of time looking at the consumer Market when it comes to AV systems but I will admit I'm surprised at how well Windows Defender AV does I would have probably been flamed and maybe some will have some spicy comments down below about it but I actually would tell you today in 2023 Microsoft's actually getting good at Windows Defender AV and no if you would have told Tom from a few years ago that he probably wouldn't have believed you but nonetheless Windows Defender over the years has actually become a pretty good AV system on the commercial side we use sentinel one in Huntress I've talked about those on my channel before that's more of a commercial tool that's not made for end users it's made for us to manage businesses and manage security on there and it usually goes a little bit further when you get into the businesses because you may be monitoring with Sim tools and other things that you know you're diving a little bit more in depth but I think for the most part the other things I mentioned are pretty good for most of your home users are trying to protect against this and the final thing I'll throw out there is using a browser-based password manager some people think this is scary heavy in the browser I think the good thing is it's going to especially for the most people it's going to be good matching to make sure you're filling in the username and password on the site you should be filling in on I say that because sometimes you'll see landing pages created that are actually proxies for nefarious sites and what they're doing is they're getting in between you and the site and man in a middle attack is what this referred to as they're going to proxy the connection to their actual site this will allow them to generate a session token that they'll get a copy of and then they'll be you again and they didn't have to get on your computer to do that those are kind of scary but generally speaking browser-based password managers are going to look at the site look at the URL and only fill in if they match if they don't match and you find yourself manually putting in a password and username stop right there there's obviously something wrong of why these things don't match and used to stop and think critically about it nonetheless love hearing from you let me know if there's something more you'd like me to cover on this topic if it makes sense if you have hopefully a better understanding of just how simple it is to grab these tokens and copy them and uh make sure you sign out of everything love hearing from you leave some comments down below or ahead of my forums for a more in-depth discussion and thanks [Music] foreign [Music] foreign
Info
Channel: Lawrence Systems
Views: 27,908
Rating: undefined out of 5
Keywords: LawrenceSystems, Session Tokens, web security, session cookies, id tokens, session authentication, session cookies in react, session cookies chrome, web storage
Id: XU_L1fXMVrM
Channel Id: undefined
Length: 9min 5sec (545 seconds)
Published: Wed Mar 29 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.