Сессии и Cookies
Кража сессий через JavaScript и защита с помощью флага HttpOnly.
User Portal
Your Browser Cookies (Visible to JS):
No cookies visibleAttacker script
Simulate an XSS attack that tries to read your session cookie using document.cookie.
The Security Fix: HttpOnly
The HttpOnly flag is a security measure used when setting a cookie. When present, it prevents the cookie from being accessed through client-side scripts, such as JavaScript's document.cookie.
Insecure Header:
Set-Cookie: session_token=abc123; Path=/; SameSite=LaxSecure Header:
Set-Cookie: session_token=abc123; Path=/; SameSite=Lax; HttpOnly