New Cookie Sandwich Technique Let Attackers Bypass HttpOnly Flag On Servers

A newly discovered attack technique, dubbed the “cookie sandwich,” enables attackers to bypass the HttpOnly flag on certain servers, exposing sensitive cookies, including session identifiers, to client-side scripts.

The “cookie sandwich” attack exploits flaws in how web servers parse cookies when special characters, quotes, and legacy attributes are introduced. 

By strategically crafting cookie headers, attackers can manipulate the server’s interpretation of cookie structures, effectively exposing HttpOnly cookies.

Key Mechanisms Of The Attack

Legacy Cookie Parsing: Many web servers support both modern (RFC6265) and legacy (RFC2109) cookie standards. If a cookie header begins with a $Version attribute, servers often default to legacy parsing logic.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Quoted Strings: Legacy parsing allows quoted strings in cookie values. The parser continues reading until it encounters an unescaped closing quote (“), potentially including unrelated cookies within the quoted value.

Backslash Unescaping: Characters preceded by a backslash (\) are unescaped during parsing, further complicating cookie handling.

Zakhar Fedotkin, a security researcher at PortSwigger, said if the application reflects the param1 value in its response or lacks proper escaping mechanisms, the entire string—including the sensitive sessionId—can be exposed.

In one proof-of-concept attack, researchers exploited an XSS vulnerability on a vulnerable application running Apache Tomcat:

XSS Injection: JavaScript was injected into an error page due to improper input sanitization.

Cookie Manipulation: The script set $Version, param1, and param2 cookies to create the “sandwich.”

Reflection Exploitation: The manipulated cookies were reflected in a JSON response from a tracking domain, exposing the HttpOnly PHPSESSID cookie.

Impact And Vulnerable Systems

This vulnerability affects web applications relying on legacy parsing or frameworks that support quoted strings by default (e.g., Python Flask). 

Note that the RFC2109 is supported by default in Apache Tomcat versions 8.5.x, 9.0.x, and 10.0.x.

Hence, this technique leverages XSS, cookie manipulation, and the tracking application’s vulnerability.

The “cookie sandwich” technique underscores the importance of robust cookie security practices and careful handling of legacy compatibility features. 

As attackers continue to exploit overlooked vulnerabilities, organizations must proactively update their systems and adopt modern security standards to safeguard user data.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar