The effect of HttpOnly on XSS attacks

Recently in the Python flask framework to write things, by the way, the role of HttpOnly to come out, mainly to prevent XSS vulnerability attacks.

The following hello.py are written in flask.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/4C/EA/wKioL1RHVVjgMx2WAAEL-jYlx7k916.jpg "title=" Flask1.jpg "alt=" Wkiol1rhvvjgmx2waael-jylx7k916.jpg "/>

The code adds two cookie values, one with a httponly tag and the other without a httponly tag.

Index.html is a simple XSS test JS code

Start the Flask Web server
Python hello.py
Visit http://192.168.118.142:5000/login
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/4C/E9/wKiom1RHV02T7rcSAAEPrOJ73uw584.jpg "title=" Http.jpg "alt=" Wkiom1rhv02t7rcsaaeproj73uw584.jpg "/>

The Alter bullet box only gets the session ID and value in the first cookie. You can use the chrome plugin to see the HTTP response header
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/4C/EA/wKioL1RHWH3SJ3IHAANHYLE_5Fo347.jpg "title=" Http2.jpg "alt=" Wkiol1rhwh3sj3ihaanhyle_5fo347.jpg "/>
The second cookie is not acquired because it has a httponly tag.
As a result, we can see the effect of HttpOnly on XSS attacks, but everything is not absolute, some specific situations can be bypassed, and then analyzed. Good luck!
This article from "Lao Xu's Private Food" blog, declined to reprint!
The effect of HttpOnly on XSS attacks