|
|
|
|
|
|
by hsbauauvhabzb
1255 days ago
|
|
|
I’ll preface this with the acknowledgement that httponly is misunderstood by many, but it won’t change anything: HttpOnly only prevents session theft as you cannot read the cookie, but you can still use it. you can still perform actions by sending AJAX requests with cookies attached. In a subdomain takeover you receive cookies on all requests, you can view these irrespective of httponly unless you are limited to controlling html and js of the subdomain (which I think is true of GitHub static sites). HttpOnly is largely a failed mitigation, modern SPAs require access to JWT tokens which compounds that; the solution is to focus on appropriate scoping (to prevent subdomain hijacks having such implications) and preventing XSS. |
|
|