1. Administering Oracle Access Management
  2. Appendixes
  3. Mitigating Security Risks with Session Cookies

D Mitigating Security Risks with Session Cookies

Multi-factor authentication (MFA) and password-less authentication are highly effective in reducing the damage an adversary can cause with a stolen password. However, MFA can be bypassed if a session cookie is exfiltrated (copied or stolen) from the browser of a legitimate user who has already authenticated to an application. Session cookies store information in a user’s browser after logging into a web application, keeping the user signed in without needing to re-authenticate until the session expires or they log out. Since session cookies act as bearer tokens, anyone possessing the cookie can use it, making their exfiltration a significant security risk. Bearer tokens are susceptible to Adversary-in-the-Middle (AitM) attacks, also known as Man-in-the-Middle attacks. Additionally, there has been a rise in malware designed to extract session cookies from infected browsers, as well as phishing techniques aimed at bypassing authenticators that rely on shared secrets (such as time-based OTP).

To detect and mitigate the risk of session cookie exfiltration, a defense-in-depth strategy is recommended, along with regular (re)authentication of logged-in users. Listed below are several approaches to prevent or minimize the impact of session cookie exfiltration. Since no single method is sufficient on its own, implementing a combination of these approaches is essential for effective protection.

Tune the System

OAM provides a comprehensive set of features to prevent or reduce the impact of session cookie exfiltration. The following capabilities can be utilized to mitigate or limit the risk associated with session cookie exfiltration.
  • Reduce Idle and Inactivity Timeouts. See Common Settings for more information.
    • Exceeding the idle timeout (default: 15 minutes) will result in an inactive session, which will deny access to protected resources until the user successfully re-authenticates followed by the renewal of session cookies.
  • Reduce Max Session Timeouts. See Common Settings for more information.
    • Lowering the session lifetime (default: 480 minutes) will discard all authentication and session cookies even if they are active and create a new login session. Previously issued cookies will no longer be invalid.
  • Reduce WebGates Token Lifetime. See Registered OAM Agent Configuration Parameters in the Console Registered OAM Agent Configuration Parameters in the Console for more information.
    • Exceeding the cookie lifetime (default: 60 minutes) results in existing cookies becoming invalid and new cookies being generated. This limits the impact of stolen cookies
  • Enable IP Address Validation. See IP Address Validation for WebGates for more information.
    • This feature binds the cookie to the IP address of the user agent when the user is authenticated or logged in, and this is verified during access to protected resources. Additionally, the proxy IP addresses in the request are checked, preventing the replay of stolen cookies from a different IP address.
  • Use Step-up authentication to access sensitive resources. See Server-Side Session Enforcement Examples for more information.
    • Users must be challenged by additional authentication factors before accessing sensitive resources, which minimizes the impact of session cookie exfiltration.
    • Oracle Adaptive Risk Management (OARM) allows rules based on User activity context to be used to authorize access (for example, User behavior, Geo Intelligence, Dynamic re-authentication).
    • Optionally, integrate with OARM, which enables risk modeling to address specific attack vectors. See Features of Oracle Adaptive Risk Management (OARM) for more information.

Secure the Environment

Securing the environment in which OAM is deployed is critical. An Adversary-in-the-Middle (AitM) attack relies on a compromised deployment which allows an adversary to steal session cookies. To prevent or mitigate this vulnerability,
  • Secure network limit stealing data at network level
    • Use Network level security controls (mutual TLS communication everywhere, Intrusion Detection Services, Web Application Firewalls) and regular scans to detect suspicious activity.
  • Limit access to managed and monitored devices, especially for admin access
    • Administrator access must be controlled, audited and reviewed regularly to limit the blast radius of malicious activity.

Detecting Session Cookie Exfiltration

The following patterns observed in activity logs may indicate a potential compromise.
  • Same cookies coming from multiple sources
    • When this happens during an active login session (within the Max Session Lifetime), it indicates that the IP address of the user agent or proxy is changing. While proxy IP addresses may change (for example, due to ISP forwarding proxies), it is highly unusual for the user agent's IP address to change (for example, due to a DHCP lease expiring).
  • Change in IP address in the middle of a user session
    • This is very unusual and is very suspicious.
  • Resource access not initiated by user
    • The context associated with a user in the HTTP request can be used to determine if it aligns with the user's behavior and variations can be indicative of malicious activity. Using OARM simplifies the modeling of the contextual risk and management of User Activity based rules.

Responding to Session Cookie Exfiltration

Once detected, OAM provides the Administration the ability to take action, Specifically,
  • Terminate user sessions
    • APIs and UI Console provide the ability to immediately terminate active sessions of a User or Users.
    • Disable the User(s) Account and investigate how the cookies are stolen.
  • Data/Packet stealing, malware on the user devices are the usual ways the adversaries steal the cookies.
    • Block the IP addresses of the attacker
  • Update Authorization Policy to add the suspect IP Addresses to the IPAddressRange Conditions.