A new attack technique known as the “cookie sandwich” has surfaced, raising significant concerns among cybersecurity professionals.
This technique enables attackers to bypass the HttpOnly flag and access sensitive cookies, potentially exposing vulnerable applications to data theft and session hijacking.
Here’s a breakdown of this emerging threat, how it works, and its implications for web security.
According to the PortSwigger report, the “cookie sandwich” technique exploits vulnerabilities in how certain web servers parse cookies, particularly when dealing with legacy cookies and special characters.
By carefully crafting cookie values with quotes and using browser-specific features, attackers can manipulate the structure of the Cookie header. This manipulation exploits server-side parsing mechanisms to expose otherwise protected cookies.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The attack hinges on the following key concepts:
document.cookie = `$Version=1;`;
document.cookie = `param1="start`;
document.cookie = `param2=end";`;
This causes the server to misinterpret the cookie structure, allowing cookies enclosed between the quotes to be treated as part of a single value.
Here’s how the manipulated Cookie header might look in a request:
GET / HTTP/1.1
Cookie: $Version=1; param1="start; sessionId=secret; param2=end"
A vulnerable server might respond with:
HTTP/1.1 200 OK
Set-Cookie: param1="start; sessionId=secret; param2=end";
If the application improperly reflects the param1 cookie or does not implement HttpOnly properly, attackers can capture sensitive cookie data like session IDs.
Popular frameworks like Flask handle cookies with quoted strings by default, making them susceptible to cookie sandwich attacks. For example:
Cookie: param1="start; sessionId=secret; param2=end"
In the server response, this could become:
Set-Cookie: param1="start\073 sessionId=secret\073 param2=end";
This parsing quirk can be exploited to expose sessionId values.
In a reported real-world scenario, a tracking domain with a reflected session parameter was exploited:
This vulnerability highlights the importance of robust cookie handling and response sanitization on the server side. Here are some mitigation strategies:
The “cookie sandwich” technique underscores the evolving sophistication of web-based attacks. Organizations must stay vigilant, update their frameworks, and adopt modern security practices to protect against such exploits.
This discovery serves as a wake-up call for developers and security teams to prioritize secure cookie handling and robust input validation to safeguard user data.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…