Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The PHP info page is used for displaying information about the current installation. Normally, this is considered a low information disclosure finding.

A mitigation for Cross Site Scripting (XSS) is using the HTTPOnly flag on cookies. This prevents the cookie from being used in JavaScript directly. Since session information is commonly stored in cookies, this prevents the stealing of the cookie.

The PHP Info page outputs a ton of information about the environment. The weird one to me is that the HTTP_COOKIE field can contain HTTPOnly only cookies!

Now, an XSS bug can make a request to the PHP info page in order to get the cookies reflected in the request. This allows for the stealing of HTTPOnly cookies, which is a huge deal in the context of web exploitation. In particular, the PHP session cookie PHPSESSID can be stolen.

Overall, a context dependent HTTPOnly bypass within PHP by chaining a normal low severity issue.