{
	"id": "97f786ac-7907-4314-84af-d5048703f156",
	"created_at": "2026-04-06T03:37:27.859932Z",
	"updated_at": "2026-04-10T03:21:01.051272Z",
	"deleted_at": null,
	"sha1_hash": "e65c29ea6557334142d27c8df88d367774a35e2b",
	"title": "\"Pass the Cookie and Pivot to the Clouds\"",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1230826,
	"plain_text": "\"Pass the Cookie and Pivot to the Clouds\"\r\nBy wunderwuzzi\r\nPublished: 2018-12-16 · Archived: 2026-04-06 03:15:13 UTC\r\nWeb Applications and Services use cookies to authenticate sessions and users.\r\nAn adversary can pivot from a compromised host to Web Applications and Internet Services by stealing\r\nauthentication cookies from browsers and related processes. At the same time this technique bypasses most multi-factor authentication protocols.\r\nThe reason for this is that the final authentication token that the attacker steals is issued after all factors have been\r\nvalidated. Many users persist cookies that are valid for an extended period of time, even if the web application is\r\nnot actively used. Cookies can be found on disk and also in process memory. Additionally other applications on\r\nthe targets machine might store sensitive authentication tokens in memory (e.g. apps which authenticate to cloud\r\nservices). This pivoting technique can be extended to bearer tokens, JWT and the likes. Pass the Cookie is a post-exploitation technique to perform session hijacking.\r\nSo, let’s Pass the Cookie and Pivot to the Clouds.\r\nUpdate October 2019: This tactic is now part of the MITRE ATT\u0026CK Matrix, in particular:\r\nCredential Access - Steal Web Session Cookie\r\nLateral Movement - Web Session Cookie\r\nUpdate December 2018: Pass the Cookie at the Chaos Communication Congress (35C3)\r\nhttps://wunderwuzzi23.github.io/blog/passthecookie.html\r\nPage 1 of 9\n\nWatch the 35C3 Lightning Talk here:\r\nAttack Chain\r\nDisclaimer: Always make sure you have proper authorization before pen testing.\r\nPass the Cookie is done via the following steps (variations exist):\r\n1. Acquire the cookie from the victims browser or other processes (e.g. via process dump, or accessing the\r\ncookie storage on disk)\r\n2. Exfiltrate the necessary authentication cookies\r\n3. Open Firefox on the attackers machine (or any other machine)\r\n4. Navigate to the resource to access (the domain the cookie is valid for)\r\n5. Use the Developer Console and set the cookie via document.cookie=“key=value”, or use the UI\r\n6. Refresh the page and observe being logged in as the victim.\r\nThe appendix shows examples for Github and Google Cloud Platform by using Google Chrome to pass the\r\ncookie.\r\nDetections\r\nWhen it comes to detections a few things come to mind:\r\nOne can monitor on the client side for applications that perform process dumps on browser processes or\r\nothers.\r\nMonitor for unusual activity on critical web assets (like cloud provider management consoles, etc,..)\r\nMonitor for login anomalies (location, time, unusual access patterns)\r\nLeverage features that cloud providers and web apps provide (Threat Detection, Access logs,…)\r\nhttps://wunderwuzzi23.github.io/blog/passthecookie.html\r\nPage 2 of 9\n\nPerform authorized adverserial emulation in your organization to test detections\r\nMitigations\r\nTo protect from these attacks its important to stay up to date with security patches, etc. to ensure your host does\r\nnot get compromised. As seasoned security engineer you assume the worst, and here are some ideas on how to\r\nmitigate implications of an attack:\r\nRegularly delete persistent cookies, so they get removed from hard drive to limit exposure.\r\nDelete session cookies as well\r\nBe the only Administrator on your machine\r\nLeverage features that cloud providers offer (Threat Detection, IAM, RBAC, Firewalls,…)\r\nBrowse sensitive sites (high value assets) from isolated or dedicated machines\r\nSeperateion of duties\r\nRequiring further authentication proof for sensitive operations can help limit the damage\r\nRequiring client side certificates makes it also more difficult to pass the cookie\r\nAquiring Cookies, Tools and Techniques\r\nIn case you don’t won’t to write your own toolset, there are a couple of options available to gain access to cookies:\r\nfirefox_creds - Access the SQL Lite Cookie Databases\r\ncookie_crimes - Neat way to grab cookies from Chrome on Macs (also Windows and Linux)\r\nProcDump - Swiss army knife to dump strings from any process\r\nThere are also good articles online describing how to access and decrypt the cookies in the SQL Lite databases\r\nyourself - if you’d like to do your own research or tool.\r\nPass The Cookie - Cheat Sheet\r\nBelow is a list of some “cookies of interest” for valuable web applications your organization might use. An\r\nadversary might be after those and you could emulate to see if your organization catches the attack.\r\nThis list might change over time or have inaccuracies - feel to provide feedback or help amend.\r\nApplication Cookie Name Domain Notes\r\nAmazon\r\nWeb\r\nServices\r\naws-userInfo, aws-creds .amazon.com https://console.aws.amazon.com\r\nhttps://wunderwuzzi23.github.io/blog/passthecookie.html\r\nPage 3 of 9\n\nApplication Cookie Name Domain Notes\r\nGoogle\r\nCloud\r\nPlatform\r\nOSID, HSID, SID, SSID,\r\nAPISID, SAPISID, LSID\r\n.google.com\r\nhttps://console.cloud.google.com\r\nOSID has to be set on\r\nconsole.cloud.google.com, others on\r\n.google.com LSID needed for cross\r\napp auth (e.g. GCP to Gmail).\r\nMicrosoft\r\nOnline\r\nESTSAUTHPERSISTENT .microsoftonline.com\r\nFacebook\r\nfor Work\r\nc_user, cs .facebook.com Also works for regular Facebook\r\nOneLogin sub_session_onelogin.com .onelogin.com\r\nGitHub user_session .github.com\r\nHotmail,\r\nCalendar,\r\nPeople\r\nRPSSecAuth .live.com Access to hotmail,… (No OneDrive)\r\nGmail\r\nOSID, HSID, SID, SSID,\r\nAPISID, SAPISID, LSID\r\n.google.com\r\nhttps://mail.google.com For basic\r\nmail access only first 4 seem needed.\r\nNotice: When setting cookies through the web console, each cookie has to be set individually via\r\ndocument.cookie=\"\". You can always view the currently set cookies via document.cookie\r\nAlso when setting cookies ensure to set them on the correct domain. If in doubt you can try setting them on the\r\nroot domain.\r\nConclusion\r\nPass the Cookie is a powerful post-exploitation technique to pivot from on-premise machines to cloud assets. It\r\ncan be leveraged to bypass 2FA techniques as the cookie is in the end still a single factor.\r\nHopefully this was helpful, so you can build better detections, improvements and tests into your infrastructure to\r\ncatch malicious activity.\r\nIf you have any questions or ideas feel free to send me an email at security@wunderwuzzi.net.\r\nYou can also follow or DM me on Twitter: @wunderwuzzi23\r\nAppendix - Pass the Cookie Examples\r\nExample 1) Google Cloud Platform, Gmail,…\r\nhttps://wunderwuzzi23.github.io/blog/passthecookie.html\r\nPage 4 of 9\n\nBrowse to www.google.com in private mode. We aren’t logged in.\r\nOpen Developer Console and set the appropriate cookies (see cheat sheet for cookie details)\r\nSwitch to the Applications tab and look at the cookies. You can see that they got set on www.google.com, which is\r\nnot what we want.\r\nhttps://wunderwuzzi23.github.io/blog/passthecookie.html\r\nPage 5 of 9\n\nUpdate the domain setting of the cookies to .google.com. The cookie for OSID has to be set to\r\nconsole.cloud.google.com for GCP (it works on .google.com as well, but you might observe cookie mismatch\r\nerrors later if you want to go to different services outside of GCP).\r\nhttps://wunderwuzzi23.github.io/blog/passthecookie.html\r\nPage 6 of 9\n\nSo this can be a bit of a hiccup at times.\r\nFinally, navigate to https://console.cloud.google.com and observe being magically logged in. If you set the LSID\r\ncookie you can also go to GMail or the Accounts settings page.\r\nhttps://wunderwuzzi23.github.io/blog/passthecookie.html\r\nPage 7 of 9\n\nExample 2): Pass the Cookie on Github\r\nBrowse to the website and observe not being authenticated. No cookies.\r\nhttps://wunderwuzzi23.github.io/blog/passthecookie.html\r\nPage 8 of 9\n\nSet the appropriate cookie for the website domain (e.g via developer tools of the browser).\r\nRefresh the page and observe being authenticated. :)\r\nSource: https://wunderwuzzi23.github.io/blog/passthecookie.html\r\nhttps://wunderwuzzi23.github.io/blog/passthecookie.html\r\nPage 9 of 9\n\n  https://wunderwuzzi23.github.io/blog/passthecookie.html  \nExample 2): Pass the Cookie on Github  \nBrowse to the website and observe not being authenticated. No cookies.\n   Page 8 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://wunderwuzzi23.github.io/blog/passthecookie.html"
	],
	"report_names": [
		"passthecookie.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775446647,
	"ts_updated_at": 1775791261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e65c29ea6557334142d27c8df88d367774a35e2b.pdf",
		"text": "https://archive.orkl.eu/e65c29ea6557334142d27c8df88d367774a35e2b.txt",
		"img": "https://archive.orkl.eu/e65c29ea6557334142d27c8df88d367774a35e2b.jpg"
	}
}