I've been playing today with Citrix Secure Access windows client and to my surprise it's a webview driven app that holds it's authentication state using.. A Cookie that can be extracted from memory with no special privileges. The cookie can then be used to access the web portal.

Jun 22, 2022 · 6:14 PM UTC

14
116
4
467
You can't image how surprised I was when it logged me in..
1
11
Replying to @S0ufi4n3
And what's the attacker vector here? These are your credentials. Also if you're allowed to run other software, might as well start some vnc or teamviewer to control the app... An admin could easily just lock down that client to not be able to launch other apps...
2
2
Nobody is talking about any attacker vector * yet* here..
1
1
Replying to @S0ufi4n3
Never used this software before, what is the impact?
2
The impact is as usual context dependent, even if this could be used on a lateral movement attempt (accessing higher pivs user's vpn portal==accessing more internal apps), the tweet was just to point the fact that this client uses cookies.. That's all.. :)
6
Ooooh Well then
Replying to @S0ufi4n3
thank you for the heads up!
Replying to @S0ufi4n3
anyone who thinks this is a security boundary in the first place is being optimistic. you are giving the client remote access so anyone who compromises the client has remote access. it’s not rocket science.
1