Tuesday, May 13, 2025
HomeBrowserNew Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

Published on

SIEM as a Service

Follow Us on Google News

The “Cookie Sandwich Attack” showcases a sophisticated way of exploiting inconsistencies in cookie parsing by web servers.

This technique allows attackers to manipulate HTTP cookie headers to expose sensitive session cookies, including those marked with the HttpOnly flag, making it possible to access restricted data through client-side scripts.

By combining legacy cookie standards, special characters, and browser behavior, this attack represents a critical threat to poorly configured web applications.

- Advertisement - Google News

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Exploiting Parsing Ambiguities in Cookies

The attack leverages differences in how web servers, frameworks, and browsers handle cookies based on legacy standards such as RFC2109, in contrast to the modern RFC6265 standard.

For example, browsers like Chrome allow JavaScript to create cookies with names prefixed by a $ (e.g., $Version) even though such cookies are not directly supported.

Attackers can define quoted cookie values that create a “sandwich” around sensitive cookies, leading to misinterpretation by the server.

A sample manipulation looks like this:

document.cookie = `$Version=1;`;
document.cookie = `param1="start`;
document.cookie = `param2=end";`;

This results in the following HTTP request header:

GET / HTTP/1.1
Cookie: $Version=1; param1="start; sessionId=secret; param2=end"

When processed by servers like Apache Tomcat, which falls back to legacy parsing logic upon detection, $Version, the entire string, including the sensitive, sessionId can be assigned toparam1.

If this cookie value is reflected in a response without the HttpOnly flag, attackers can extract it using client-side scripts.

Python frameworks, such as Flask, are inherently vulnerable to such attacks due to their support for quoted cookie strings and automatic encoding of special characters.

This enables attackers to bypass traditional cookie parsing safeguards without requiring the $Version attribute.

Combining XSS and Cookie Manipulation

An attack on a vulnerable web application using an analytics tracking domain demonstrated the theft of an HttpOnly PHPSESSID cookie in four stages.

First, attackers exploited a Cross-Site Scripting (XSS) vulnerability by injecting JavaScript via unsanitized attributes, bypassing AWS WAF using an oncontentvisibilityautostatechange event.

Next, they identified that a tracking domain exposed session details in cross-origin JSON responses.

The attackers then manipulated cookie headers, using the $Version attribute and modifying the path to insert a PHPSESSID value in a JSON response, which the Apache Tomcat server reflected back.

Finally, JavaScript was used to automate cookie exfiltration via a CORS request.

According to the Port Swigger, to prevent such attacks, web servers must strictly adhere to RFC6265, disable legacy standards like RFC2109, and ensure proper sanitization and security for cross-origin requests.

Always set the HttpOnly and Secure flags for sensitive cookies such as session cookies to prevent JavaScript access or transmission over insecure connections.

Sanitize user inputs and outputs rigorously, particularly for reflected values in HTTP responses or HTML attributes. Prevent the injection of arbitrary scripts or content.

Restrict cross-origin requests to trusted origins and avoid reflecting sensitive data in responses.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals...

Cyberattackers Targeting IT Help Desks for Initial Breach

Cybercriminals are increasingly impersonating IT support personnel and trusted authorities to manipulate victims into...

New Supply Chain Attack Compromises Popular npm Package with 45,000 Weekly Downloads

An advanced supply chain attack has targeted the well-known npm package rand-user-agent, which receives...