New Vulnerability Threatens HttpOnly Cookies in XSS Attacks
/ 1 min read
Cross-Site Scripting (XSS) attacks exploit vulnerabilities in web applications, often facing challenges from the HttpOnly flag, which protects cookies from client-side access. However, attackers can still hijack HttpOnly cookies by exploiting the browser’s cookie storage limit of 4096 bytes per domain. When an attacker generates excessive cookies, the browser deletes the oldest ones, allowing the attacker to manipulate the cookie jar. By carefully crafting cookies, including one that mimics a victim’s session ID, an attacker can execute a session fixation attack, leading to account takeover. This method highlights a significant vulnerability in applications with XSS flaws, demonstrating the potential for malicious exploitation even with HttpOnly protections in place.
