skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition

New Technique Exposes HttpOnly Cookies to Attacks

/ 1 min read

🍪🔓 New “cookie sandwich” technique exposes HttpOnly cookies to attacks. A recent article introduces the “cookie sandwich” technique, which allows attackers to bypass the HttpOnly flag on certain servers by manipulating how cookies are parsed. By using special characters and legacy cookie attributes, an attacker can mislead the server into exposing sensitive HttpOnly cookies to client-side scripts. The technique exploits vulnerabilities in web applications, particularly those that reflect cookie values without proper validation. A real-world example demonstrated how an attacker could steal an HttpOnly PHPSESSID cookie through a reflected XSS vulnerability. The article emphasizes the importance of understanding cookie security and the parsing behaviors of web frameworks to mitigate such risks.

Source
{entry.data.source.title}
Original