Session Hijacking Methods

Here's how attackers are hijacking Citrix web sessions with a single weird HTTP Request (aka 'CitrixBleed 2'): No phishing. No malware. No clicks. Just one HTTP request. That is all it takes to compromise multiple user sessions. But how is that possible? Lets explore today. (Context: Citrix NetScaler Gateway is used for secure remote access. It acts as a front door for employees to log into internal apps from anywhere) 𝗔𝘁𝘁𝗮𝗰𝗸𝗲𝗿 𝗙𝗹𝗼𝘄:  1) Attacker identifies internet facing Citrix Gateway login page (using Shodan) 2) Attacker enters random username & password > Intercepts the POST request > POST parameters look something like this:   POST /login … login=rohit&passwd=testpass … 3) Here's the interesting part: Attacker now sends the request to include just 'login' parameter with no value:   POST /login … login … 4) And guess what? In a weird twist, the server starts leaking random info from memory (see pic for clarity, credits: watchtowr) 5) Now attacker sends the same request again > And server leaks new info from memory. 6) The attacker repeats this dozens of times harvesting new random bits of memory > Eventually, server leaks session IDs, tokens etc. > Attacker replays them > Compromises any user! 𝗔 𝗙𝗲𝘄 𝗧𝗵𝗼𝘂𝗴𝗵𝘁𝘀:  1) What's happening here is this: The backend code takes the value of 'login' parameter and assigns it to a local variable and displays it back. But there is a problem: the local variable is not initialized. So, when you don't assign any value at all for 'login', it just displays whatever value existed in that memory space from before! This is a classic memory leak issue in C-language. 2) When hunting for bugs, attackers look for one thing above all: a single bug that can lead to thousands of compromises. A remote gateway is perfect for this. It serves as the front door for thousands of employees to access internal apps. Break it, and you do not just get one account, you could get them all. 3) The attacker had a simple question: "What if we just provide the login parameter, but don’t provide the equal sign or a value (expected by the HTTP spec) to try and trigger parsing issues? What happens then?". If you're a security analyst, realizing the power of "what if" can immensely benefit you in uncovering these less obvious bugs. 4) History has a way of repeating itself in cybersecurity. In 2023, Citrix faced a similar memory leak zero day that caused damage, known as CitrixBleed. Now, this new CVE with a CVSS score of 9.3 is published, and reports show Citrix Bleed 2 is already being heavily exploited. 5) How to defend? 1) Apply the patches released by Citrix 2) Audit external NetScaler exposure 3) Implement n/w ACLs if patching is delayed. 4) After patching, terminate all active sessions. If you enjoyed this, follow me at Rohit Tamma for new posts every week! Topmate: https://lnkd.in/g8VnqWZA #cybersecurity #infosec #threathunting #threatdetection #zeroday

The "Cookie-Bite" attack is a sophisticated method that enables cybercriminals to bypass multi-factor authentication (MFA) by hijacking session cookies, granting persistent unauthorized access to cloud environments such as Microsoft 365 and Azure Entra ID. This technique undermines traditional authentication measures and poses significant risks to organizational security. Summary: The Cookie-Bite attack targets authentication cookies, specifically ESTSAUTH and ESTSAUTHPERSISTENT, used by Azure Entra ID (formerly Azure Active Directory) to maintain authenticated sessions. Attackers employ various methods to steal these cookies, including: - Adversary-in-the-Middle (AiTM) attacks utilizing reverse proxy tools to intercept cookies in real-time. - Dumping browser process memory to extract decrypted cookies from active sessions. - Deploying malicious browser extensions that access cookies within the browser's security context. - Decrypting locally stored browser cookie databases. Once obtained, these cookies are injected into the attacker's browser, allowing them to impersonate legitimate users without needing credentials or MFA tokens. This method enables lateral movement within cloud environments and access to sensitive applications like Microsoft Graph Explorer. https://lnkd.in/dPzcjH6g

Organizations need to recognize that MFA is not a guaranteed security solution. Astaroth is a new phishing kit that debuted on cybercrime forums in late January 2025, and it has some clever tricks up its sleeve. By using session hijacking and real-time credential interception, this kit can bypass two-factor authentication (2FA). It operates similarly to an evilginx-style reverse proxy, seamlessly intercepting and modifying the traffic between users and trusted services like Gmail, Yahoo, and Microsoft. Acting as a man-in-the-middle, it collects login credentials, tokens, and session cookies as they are being used, making it quite challenging to protect MFA.

🔐 MFA isn’t bulletproof. Yes, you read that right. Hackers are now using advanced phishing techniques — like Evilginx — to bypass Microsoft 365 MFA and steal session tokens without ever needing a password. To show how this works (and how to stop it), I invited Microsoft MVP Jon Jarvis onto my channel for a live phishing demo. In the video, we cover: ✅ A real-world Evilginx phishing attack ✅ How session hijacking beats traditional MFA ✅ How to protect your users with Entra ID P2 & Conditional Access If you're responsible for securing Microsoft 365 environments — either as an internal IT pro or an MSP — this is one you don't want to miss. 🎥 Video link in the comments 👇 #Microsoft365 #ConditionalAccess #EntraID