javascriptsecuritycookiesxsscookie-httponly

Impact by reflected xss with httpOnly cookies


I found reflected xss and am trying to use cookies with the httpOnly flag. I know that httpOnly doesn't allow you to access cookies via JavaScript, but is there really no way to do this (I know about the Trace request, but this is not an option in my case)? And how else can I use reflected xss if can't read cookies with httpOnly?


Solution

  • You can't access HttpOnly cookies from JavaScript and the TRACE header is not that commonly supported in the backends.

    However, there are many other attacks that a hacker can execute through XSS, like redirecting the user, changing content/links on the pages, and extracting data from the page.