Mar 9, 2025 Information hub
Understanding HTTP Cookie Attributes: Security Risks and Bypass Techniques
π All HTTP Cookie Attributes Explained (With Bypass Techniques)
Cookies are used for session management, authentication, tracking, and user preferences in web applications. Secure cookies rely on attributes to protect against attacks like XSS, CSRF, and session hijacking.
Hereβs a detailed list of all cookie attributes, their purpose, and how attackers can bypass them. π¨
π Secure
What It Does?
- Ensures that the cookie is only sent over HTTPS (encrypted connections).
- Prevents transmission over HTTP, reducing the risk of MITM (Man-in-the-Middle) attacks.
Set-Cookie: session=abc123; Secureβ οΈ Bypass Techniques
- Downgrade Attack – If a website allows both HTTP & HTTPS, an attacker can force a victim to visit the HTTP version to steal cookies.
- SSL Stripping Attack – Tools like
sslstripintercept HTTPS β HTTP downgrades, exposing cookies. - Misconfigured Redirects – If
Secureisnβt enforced strictly, the cookie might be leaked via insecure HTTP.
π‘ Mitigation:
- Use
HSTS (Strict-Transport-Security)to force HTTPS. - Redirect HTTP β HTTPS at the server level.
π HttpOnly
What It Does?
- Prevents JavaScript (
document.cookie) from accessing the cookie. - Protects against XSS attacks where scripts try to steal session tokens.
Set-Cookie: auth=xyz789; HttpOnlyβ οΈ Bypass Techniques
- Cross-Site Scripting (XSS) via Headers – Attackers can steal session tokens using headers instead of JavaScript, e.g.:
fetch('/account', {credentials: 'include'}) - Session Fixation – Attackers inject their own cookie and trick users into using a compromised session.
- Cross-Site Script Inclusion (XSSI) – Attackers inject malicious scripts into JSON API responses to extract data.
π‘ Mitigation:
- Prevent XSS (CSP, sanitization, escaping user input).
- Use SameSite and Secure together to limit exposure.
π‘ SameSite (Strict, Lax, None)
What It Does?
- Controls whether cookies are sent with cross-site requests.
- Prevents Cross-Site Request Forgery (CSRF) attacks.
Set-Cookie: csrf=abc123; SameSite=Strictπ Modes & Their Security
- Strict – Blocks cookies for all cross-site requests (best for security). π
- Lax – Allows cookies for top-level navigations (not for embedded content). π
- None – Allows cookies in all cross-site requests (MUST use Secure). π¨
π Domain
What It Does?
- Defines which subdomains can access the cookie.
- By default, only the exact domain that set the cookie can use it.
Set-Cookie: user=John; Domain=.example.comπ Path
What It Does?
- Limits which URLs can access the cookie.
Set-Cookie: session=xyz123; Path=/adminπ Expiration & Max-Age
What It Does?
- Controls how long the cookie is stored.
- Expires: Sets an exact expiration date.
- Max-Age: Sets duration in seconds.
Set-Cookie: session=abc123; Max-Age=3600; Expires=Tue, 15 Mar 2025 12:00:00 GMTβ‘ Priority (High, Medium, Low)
What It Does?
- Determines which cookies are deleted first when browser storage is full.
Set-Cookie: session=xyz123; Priority=Highπ Summary of Cookie Attributes & Bypass Techniques
| Attribute | Purpose | Bypass Method | Mitigation |
|---|---|---|---|
| Secure | Forces HTTPS-only cookies | SSL Stripping, HTTP Downgrade | HSTS, force HTTPS |
| HttpOnly | Blocks JS access | Header-based attacks, XSS | XSS prevention |
| SameSite | Prevents CSRF | Open redirects, XS-Leaks | Use Strict mode |
| Domain | Controls subdomain access | Subdomain takeover | Avoid Domain unless needed |
| Path | Limits cookie access | Path traversal | Restrict Path scope |
| Expiry | Sets cookie lifetime | Session fixation | Use HttpOnly for sessions |
π Final Thoughts
π₯ Security Tip: Always use Secure, HttpOnly, and SameSite together for strong security. π
