During a web-application penetration test against a banking site, you exploit a reflected XSS flaw that executes JavaScript in a victim's browser. The response for an authenticated user contains the header:
Which additional cookie attribute would most effectively stop your injected script from reading the victim's session ID and thereby prevent session hijacking?
Reduce the session timeout to a few minutes
Bind the session to the originating IP address
Include the HttpOnly flag in the Set-Cookie header
JavaScript can access cookies through document.cookie unless the cookie is flagged HttpOnly. The Secure attribute merely requires TLS; it does not restrict script access. SameSite=Strict limits cross-site requests but still leaves the value readable to client-side code. Shortening timeout or binding by IP reduces the window or scope of misuse but does not block the XSS from stealing the token. Adding the HttpOnly flag instructs the browser to withhold the cookie from all client-side scripts, eliminating this specific attack vector.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does the HttpOnly flag do in cookies?
Open an interactive chat with Bash
How does XSS (Cross-Site Scripting) exploit cookies?
Open an interactive chat with Bash
What does the 'Secure' attribute in cookies do compared to HttpOnly?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Web Application Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .