HTTP-Only Session Hijacking Through XSS

What is HTTP Only

An HTTP only cookie is a typical browser cookie with the purpose of storing information in a specific way. The HTTP Only is a tag that is added to a typical cookie that tells the browser to not display the cookie through a client-side script. It provides a gate that prevents the specialized cookie from being accessed by anything other than by the server. It’s an additional risk mitigation flag that helps prevent any risk in protected cookies, thus making them more secure.


The attacker can compromise the session token by using malicious code or programs running at the client-side. The example shows how the attacker could use an XSS attack to steal the session token.

Because the server keeps track of the current authenticated user by means of the value of the session cookie, whenever this session cookie gets compromised an attacker is able to impersonate this user by changing his current session cookie with the compromised session cookie in his browsers session storage.

Lets start the application and login with the default credentials.

For Instance,Text input fields are a perfect indicator that we might want to start testing for cross site scripting attacks.

The agenda is to obtain the users session cookie to perform a session hijacking attack and to be able to impersonate the user on the server.


We can tell if we can hijack the session information by inspecting the cookies and see if the HTTP/HttpOnly attribute is enabled for the session cookie.

Highlighted in red we find this attribute and see that it is not activated for this application.

So, its vulnerable as the HTTP attribute is false.

Now we’ll check, if we are able to display the session information using the XSS or you can alert (javascript) code snippet.

By injecting the code i.e. : “<script>alert(document.cookie)</script>”,

We ll get the response as a session information with the key and value in an alert box.
Here’s a screen capture of what I found :


Eventually Now we can determine that :

  1. We can inject malicious code using javascript
  2. The HTTP attribute is not session cookie.

We can now build a payload and hijack the server to the malicious web server using the steps below:

  1. Starting the SimpleHTTP Server using python on a given port

Then inject the malicious piece of javascript , just as it is in screenshot that is responsible for hijacking the victims session information.

Which as a result , gave response on my python server log with the session key and value.


The attacker can now change the session cookie value in his browers console by the session cookie that we hijacked with our malicous payload to “hijack” the victims account.


Table of Contents

Social Media