A penetration tester is exploiting a web application that stores session tokens in HTTP cookies without the HttpOnly flag. Which attack is most likely to succeed?
XSS can read cookie values if HttpOnly is not set, allowing session theft.
Why this answer
The absence of the HttpOnly flag on session cookies allows client-side scripts (e.g., JavaScript) to access the cookie. An attacker can exploit a cross-site scripting (XSS) vulnerability to execute arbitrary JavaScript in the victim's browser, which then reads the session cookie and sends it to the attacker. This enables session hijacking without needing to guess or brute-force the token.
Exam trap
The trap here is that candidates often confuse session hijacking via XSS with CSRF, but CSRF does not steal the token—it only abuses the existing authenticated session to perform actions.
How to eliminate wrong answers
Option A is wrong because SQL injection targets the database layer by manipulating SQL queries, not the client-side storage of session tokens. Option C is wrong because cross-site request forgery (CSRF) forces the victim to perform unintended actions using their existing session, but it does not steal the session token itself. Option D is wrong because server-side request forgery (SSRF) tricks the server into making internal requests, not stealing client-side cookies.