|
|
|
|
|
|
by tmsbrg
1792 days ago
|
|
|
They don't need your session cookie either. An attacker can just use XmlHttpRequest to perform any actions as you on the website, and read the web page results. E.g. go to your profile and steal all your personal data. They can also set up a keylogger or fake login screen and wait for you to type or paste in your password yourself. I've always thought HttpOnly cookie flag is overrated. Stealing the session cookie may be the easiest attack but it's hardly the only. |
|
|