Web-AppSec / November 1, 2021 • 3 min read
What’s in the Cookie Jar?
This is something you may have read in “older” web application security books, the concept is called Cookie Jar Overflow. The idea is to simply create too many cookies for the browser to store, so that it begins deleting older cookies. However, today developers are encouraged to protect sensitive cookies by setting the HttpOnly flag, in order to prevent a potential XSS to read it. Meaning, you can’t simply overwrite or read a cookie set with this flag. But as it turns out, if you overflow the browser’s cookie jar, you can overwrite the cookie you want with a new value, thereby removing the HttpOnly flag.
According to my tests, this only works in Chrome, just as Sam had reported. Firefox does not seem to allow a HttpOnly enabled cookie to be overwritten even if you overflow the cookie jar. Hats of to Mozilla!
In order to test this, I whipped up a simple Go server which you’ll find below:
/setcookie and then browse back to the main page, you should see the cookie there. Next, you overflow the cookie with the following code snippet (paste into dev tools):
secret_cookie should have the value
hacked1 and the HttpOnly flag should be set to false. You can verify this in the cookie storage tab in developer tools.
Depending on what the cookie is being used for, there are different things you can do after overflowing the jar. You could attempt session fixation if the cookie handles sessions. Other things may include manipulating data, for instance, if the cookie contains something like
role=user, you could set it to
I found some other resources around the web discussing this attack, check them out, they are quite interesting.