TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

PortSwigger Research

Stealing HttpOnly cookies with the cookie sandwich technique

2025-01-22 · Read original ↗

ATT&CK techniques detected

5 predictions
T1539Steal Web Session Cookie
93%
“stealing httponly cookies with the cookie sandwich technique research academy my account customers about blog careers legal contact resellers attack surface visibility improve security posture, prioritize manual testing, free up time. ci - driven scanning more proactive security …”
T1539Steal Web Session Cookie
83%
“cookies have path value / json to change cookie order. - finally the script appends the cookie dummy = qaz ". - the script then makes a cors request to the tracking application endpoint, which reflects the manipulated phpsessid cookie in the json response. final exploit : async f…”
T1539Steal Web Session Cookie
70%
“, 22 january 2025 at 14 : 45 utc - updated : monday, 30 june 2025 at 16 : 01 utc in this post, i will introduce the " cookie sandwich " technique which lets you bypass the httponly flag on certain servers. this research follows on from bypassing wafs with the phantom $ version co…”
T1190Exploit Public-Facing Application
69%
“cookies and exploit the reflection vulnerability to capture the httponly phpsessid cookie. here ’ s an example of the malicious request i used : get / json? session = ignored host : tracking. example. com origin : https : / / www. example. com referer : https : / / www. example. …”
T1190Exploit Public-Facing Application
34%
“for the cookie sandwich attack. typically, when a user first visits a site, the server creates a random string visitorid and stores it in cookies. this visitorid is then shown on the webpage for analytics : < script > { " visitorid " : " deadbeef " } < / script > this scenario cr…”

Summary

In this post, I will introduce the "cookie sandwich" technique which lets you bypass the HttpOnly flag on certain servers. This research follows on from Bypassing WAFs with the phantom $Version cookie