> HttpOnly Attribute: Prevents client-side JavaScript from accessing the cookie, neutralizing XSS attacks
Just a note that ‘HttpOnly’ doesn’t neutralize XSS.(although this is not the main point of this blog)
This is dangerously misleading. HttpOnly prevents cookie theft, but it absolutely doesn't "neutralize" XSS.
First, even with HttpOnly cookies, malicious JS can still make requests on behalf of the user - the browser happily attaches all cookies (including HttpOnly ones) to XHR/fetch requests. So an attacker can still
or delete data, transfer funds, whatever the victim is authorized to do. They don't need to read the cookie, they just need the browser to send it.
This is why many apps ask for your password to change your email or reauthenticate you/trigger an MFA workflow when doing certain things.
Second, tons of XSS attacks don't even care about your cookies. They can rewrite the DOM with a fake login page and harvest credentials directly. They can keylog everything you type. They can steal data that's already on the page, redirect you to phishing sites, or mine crypto with your CPU.
HttpOnly is a good defense-in-depth measure, but calling it a neutralizer for XSS is like saying a seatbelt neutralizes car accidents. You still need proper input validation, (contextual) output encoding, CSP etc.
I fully agree. Anyone who wants to defend against XSS should have a tightly locked down CSP. That's the only way. (no, "careful" coding isn't reliable enough)
I think you mean a tightly locked down CSP and “careful” coding (just escape practically everything you render), a tightly locked down CSP is also not reliable enough.
Just a note that ‘HttpOnly’ doesn’t neutralize XSS.(although this is not the main point of this blog)
This is dangerously misleading. HttpOnly prevents cookie theft, but it absolutely doesn't "neutralize" XSS.
First, even with HttpOnly cookies, malicious JS can still make requests on behalf of the user - the browser happily attaches all cookies (including HttpOnly ones) to XHR/fetch requests. So an attacker can still
`fetch('/api/admin/add-user', {method: 'POST', body: JSON.stringify({email: 'attacker@evil.com', role: 'admin'})})`
or delete data, transfer funds, whatever the victim is authorized to do. They don't need to read the cookie, they just need the browser to send it.
This is why many apps ask for your password to change your email or reauthenticate you/trigger an MFA workflow when doing certain things.
Second, tons of XSS attacks don't even care about your cookies. They can rewrite the DOM with a fake login page and harvest credentials directly. They can keylog everything you type. They can steal data that's already on the page, redirect you to phishing sites, or mine crypto with your CPU.
HttpOnly is a good defense-in-depth measure, but calling it a neutralizer for XSS is like saying a seatbelt neutralizes car accidents. You still need proper input validation, (contextual) output encoding, CSP etc.