Is there any way around HttpOnly cookies?


the headers from network tab

The response cookies from network tab

i have tried sending no SessionID_R3 in the header but didn’t work and tried to send empty SessionID_R3 but didn’t work and finally tried
a random same length SessionID_R3 but still didn’t work !!
is there a way i can generate these ids myself ?

here is some SessionIDs

if anyone can see a pattern

what command are you giving curl?

curl "" -H "Cookie: Language=en" --data "Username=user&Password=ec43347f4ee14004f0b12f13618c6269c9e22af8f9d4273a9d36b175dbe04ed3&challange=6u3cFR3nbzsoKvf0sWd7" -v

the next command that requires the SessionID_R3 id

curl -H “Cookie : SessionID_R3=Ddux50JDSiMOuSAtIpXfMpDIyXbOZsEBbjp7ZtvbZTecgdADJISsUpW2Tr12qoGkNO16bdoMb0Z4YiZXrtp9ppG2H5eg6nIQd6WcaA0UdjIk3pc8jAiLF3E5rz1UzHXP”

you’re not telling your curl session to use a cookiejar.

you mean so i don’t need to include the cookies and SessionID_R3 header ?
it’s not the currently problem cause i am trying to access these cookies using a js script

If you’re trying to use Javascript, then use Javascript to make the requests. If you’re using curl, you’re not using javascript.

i know but i was only able to read the response cookies using curl so i posted a pic using it

Correct, you can only read the cookies using something that doesn’t respect httponly. Doesn’t mean you can’t use the cookie in an httpRequest.

Show us your javascript.

“you can only read the cookies using something that doesn’t respect httponly”

does ajax count ? cause my code is an simple xmlhttprequest

“Doesn’t mean you can’t use the cookie in an httpRequest.”
really ? :slight_smile:

mate where did you go ?


If I didn’t mean it, I wouldnt have said it. I dont know why you need reaffirmation. Go make requests to a site that has an httponly cookie.

Oh wait, you already are. Inspect the cookie that got handed to you when you loaded this page.

" Inspect the cookie that got handed to you when you loaded this page"
is this even possible to do using js ?

You can see the cookie being handed to the browser by inspecting the response it sent to your original pageload.
You showed a picture of doing this in your original post. Go look at your network tab.

My pageload for “12” (because post 12 was at the top of my screen at the time) contains:


_forum_session=R0Jid1RpcS9ubE9wN1NsZkZoQXVoeGZ1azI2aVJPVTdMNXNKd3k1WnF2Njc5azNBOGNld0dzNEJDcEp0Nk9zMitFZjIrTFhTcGVpTnd1L1JQQklHYys2K1ZReTNLeGI0Qmg1bTRMakZZMmVHhahanoimnotgivingyoumyfullactualcookietjZFlMc1ZnMFJqcGk1c01oYkN1dmVQd2h3ejFTWFRNSWN1MnlzK0ZNR3JpeTMwQmY0UGg4T0Irc3RPLS1nVVN6UUtXWEdGK0NFVlErSFc5cE53PT0%3D--fd7e2a7406fa2c91f163d074463425f22dc0dc20; path=/community; HttpOnly; SameSite=Lax; Secure

Now, when it sends its next AJAX request to get an update (how else do you think this forum updates threads in real time?), that cookie automatically rides along the request because it’s going to the same host and path. Doesn’t require javascript forcing the cookie into the request, the browser automatically sends all cookies relevant to the domain along with all requests to said domain.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.