What is the next layers of defence against cookie stealing if GET parameter is vulnerable to XSS and there is no HttpOnly flag in a website?

Question

If a GET parameter in a website is vulnerable to XSS and the user input is reflected without any change or escaping or filtering and also HttpOnly is not set for session cookie, is stealing the cookie possible? or there might be more layers of defense in website to prevent stealing cookies? Note that Payload is reflected without any changes thus we are free to use any javascript function to send cookies to our server.

Answer 1

Presented in order from "normal" to "insane, never attempt this":

• There might be mitigations against XSS, such as Content Security Policy (CSP). However, if you can execute an XSS payload in the target site's origin, then either they don't have CSP or it is inadequate (or you are using a very old browser).
• Sites don't have to use cookies for session authentication; if you know that a cookie is used here then obviously this doesn't apply, but many sites use Bearer tokens or other script-added credentials. Injected scripts (XSS payloads) can of course steal those (they have to be visible to scripts!), though they aren't technically cookies. The only credentials a script couldn't steal would be things like HTTP basic or digest or kerberos credentials, non-exportable private keys, client certificates, or credential-less authorization via some means such as "only this client IP is authorized".
• As Steffen mentioned, the session token might be tied to each user's device in some way, such as IP address. Obviously this sometimes causes users to be unexpectedly signed out, though, so most sites don't do that (or do it at very coarse granularity).
• It is technically possible for script to break document.cookie such that it does not return the cookies, in a way that can't be reverted on that page. However, even if done correctly (hard) and applied before every vulnerable point (also hard), this wouldn't be enough stop an attacker who could still open a new context under their own control, such as via window.open or injecting an <iframe> or <svg> or similar subdocument; those new child documents would not inherit the parent's sandboxing.

Answer 2

Since other answers have focused briefly on the different techniques to mitigate or control XSS, but I want to just focus on CSP in this regard, because I’d say CSP is the most common tactic to battle XSS.

Ideally, CSP mitigates XSS risks by controlling which sources of content are allowed to load and execute on a webpage, and while this significantly reduces the chances of executing malicious scripts, of course no CSP is perfect.

How CSP actually prevents XSS:

• Script source whitelisting: Google’s security blog explains that the script-src directive specifies which sources are permitted to execute JavaScript. By restricting script execution to trusted domains CSP prevents the execution of malicious scripts injected by attackers.

• Blocking Inline Scripts: The MDN web docs also explains how a CSP can block inline scripts, because this is a common vector for XSS attacks. This means scripts embedded directly in HTML, like those within <script> tags or event handlers, are blocked unless specifically allowed.

• using Nonces and Hashes: CSP supports nonces (randomly generated numbers) and hashes to allow specific inline scripts. So this enables secure use of actually necessary inline scripts without broadly enabling them, therefore maintaining a (somewhat) strong defense against XSS.

There are certainly many more CSP techniques specifically designed to mitigate the ever growing threat of XSS, but I have just listed three of the common ones.

Answer 3

There might be layers which do not prevent stealing the cookie but which prevent using a stolen cookie. This might be a short lifetime or the cookie bound to IP address, device properties or other locally stored information apart from the cookie (like localStorage, non-extractable key in WebCrypto, ...)