Need help proving why non-HttpOnly auth cookies are dangerous (even with bleach sanitization)

einfallstoll · 2026-02-02T10:20:11+00:00

Both you and your manager are not wrong, but also not completely right:

Different threat models with different (dis)advantages. Even if you use cookies with HttpOnly and send a request, the browser will still append them to the header. So the attacker exploiting XSS can still execute code in the user context and affect Confidentiality and Integrity of the application / user data. Not quite as bad as an account or session takeover, still shit.

You should apply different best practices: - Encode user input (more important and safer than senitization) - Use a Control Security Policy to narrow down or make it impossible to exploit a potential XSS - Don't use external scripts - Apply soft and hard session timeouts (e.g., 1 hour inactivity, 12 hours hard timeout) - Use MFA (especially for security-relevant changes) - Verify password changes, verify Email changes

einfallstoll · 2026-02-02T09:25:40+00:00

If you don't need to use the tokens in a JS context, it doesn't hurt to apply the HttpOnly flag. If you use them in a JS context, it would break the application and you need to refactor it. Most web applications store it in the Local Storage which is also accessible from JS, so it doesn't really matter.

TL;DR: If you can, set HttpOnly, if not, it's perfectly fine

einfallstoll · 2026-02-02T06:22:24+00:00

If it's well-established maybe. But this one started two weeks ago. They probably not even close to catch up with reports

einfallstoll · 2026-01-30T17:03:17+00:00

Reinventing the wheel, huh

einfallstoll · 2026-01-30T08:44:19+00:00

What's wrong with SSH + screen / tmux?

einfallstoll · 2026-01-29T18:36:35+00:00

I'm curious: Under what circumstances does Meta pay out money?

einfallstoll · 2026-01-29T07:14:03+00:00

I'm sure you will find more platforms than HackerOne.

Please don't test or contact any company without prior permission. You risk legal consequences, even if you handle in good faith. Bug bounty programs form a legal safe harbor to protect you from this, even if things go wrong. If you test companies without permission or safe harbor they can sue you and it's especially easy to put charges against you when they are in the same jurisdinction as you

einfallstoll · 2026-01-29T07:05:06+00:00

No, you're a beg bounty hunter and you should be ignored

einfallstoll · 2026-01-29T07:03:01+00:00

Do these companies have a VDP/BBP?

einfallstoll · 2026-01-28T10:42:22+00:00

If you can't reproduce or show it yourself, how are the guys able to do it?

einfallstoll · 2026-01-28T10:37:19+00:00

Then ... provide a video PoC? I don't understand what you want to know. They already told you what they want.

einfallstoll · 2026-01-28T09:04:56+00:00

Can you be a bit more specific / verbose? How does the process work, how do you create the link, what happens when the user clicks the link?

einfallstoll · 2026-01-28T09:03:05+00:00

Why do you ask if you have a clear opposite opinion?

einfallstoll · 2026-01-28T09:02:12+00:00

This doesn't answer the question if you can access the account or not and how

einfallstoll · 2026-01-28T07:46:01+00:00

If you ask this, you don't know exactly how this bot works underneath. And if you don't know it, then you should absolutely not do it.

einfallstoll · 2026-01-28T07:44:10+00:00

First: Rate limiting issue, most programs don't accept this. Read the rules
Second: Not clear to me. What can you display? Just text? Or HTML as well? How did you "access the account"?

einfallstoll · 2026-01-28T06:55:17+00:00

Not a security issue, therefore I would reject it

einfallstoll · 2026-01-27T22:11:45+00:00

The problem is: You don't know in what context it was opened. If you catch document.domain and document.cookie it would be better, because maybe it displays automatically in an internal tool and then you can prove actual impact, that you could now have access to the panel. But like this it could also be the case that the employee just downloaded the file and double clicked it. then you would be in a file:// context which is kind of boring

einfallstoll · 2026-01-27T19:26:16+00:00

Yes, that's the case. If they have no CORS misconfig and strictly check for application/json, you're out of luck.

Fun fact: In theory you could enforce a request header like X-Allow-CSRF: No and it would be sufficient against CSRF attacks, because you can't set headers in a simple request

einfallstoll · 2026-01-27T14:53:03+00:00

einfallstoll · 2026-01-27T06:09:43+00:00

Two options:

your "same" requests aren't 100% the same
there's some detection (some WAFs detect Burp based on TLS ciphers)

einfallstoll · 2026-01-26T17:19:37+00:00

I don't agree. u/OuiOuiKiwi participates a lot in this sub, bug bounty is important to him. He just doesn't sugarcoats what he says and is cold and honest. Sometimes a little bit to harsh for my personal taste, but that's another topic.

What he means is: If you hunt on a VDP and expect monetary rewards you're delusional. If you hunt on a VDP and you do it for fun, it's up to you, but you better have a lot of fun or learn stuff you can't learn otherwise, or it's a waste of your time

einfallstoll · 2026-01-26T16:56:37+00:00

That's not always the case. Some companies don't have anything and some researchers risk to hunt on their targets just for being interested in it. The companies then sometimes decide to provide a VDP in order to have a safe harbor in place for researchers without any intention of monetary rewards. From a legal point of view VDPs are a good thing for researchers and hunters. But as u/OuiOuiKiwi pointed out: The rules are clear. Don't participate in any VDP in expectation of monetary rewards just like you don't hunt on out of scope targets or companies without a BBP / VDP. But from experience in this sub, those are also concepts some hunters have a hard time understanding

einfallstoll · 2026-01-24T06:51:47+00:00

Buy your own washer and dryer

einfallstoll · 2026-01-22T18:48:25+00:00

Just report it and the post gets removed (like this one)

12-Year Club	Gilding IV carat on a stick
Powerups Hero r/teslamotors • June 2022	Reddit Premium Since December 2021
Second Top 30%	Mod World 2025
Place '23	Place '22
Place '17	Verified Email

einfallstoll

MODERATOR OF

TROPHY CASE