New Technique Exposes HttpOnly Cookies to Attacks
/ 1 min read
🍪🔓 New “cookie sandwich” technique exposes HttpOnly cookies to attacks. A recent article introduces the “cookie sandwich” technique, which allows attackers to bypass the HttpOnly flag on certain servers by manipulating how cookies are parsed. By using special characters and legacy cookie attributes, an attacker can mislead the server into exposing sensitive HttpOnly cookies to client-side scripts. The technique exploits vulnerabilities in web applications, particularly those that reflect cookie values without proper validation. A real-world example demonstrated how an attacker could steal an HttpOnly PHPSESSID cookie through a reflected XSS vulnerability. The article emphasizes the importance of understanding cookie security and the parsing behaviors of web frameworks to mitigate such risks.
