Which cookies can xss have access to
I clicked on a link in my android phone and I don’t know if it was an xss or not. I want to know that in the case of an xss attack, can the hacker access my whole cookies or just the cookies that belong to the website in the link address?
Analeea last edited by
A XSS has only read-access to the cookies on the specific page and only to cookies which are not set
httponly. Thus only these cookies can be stolen.
But a XSS can do more than just steal cookies: it can use the page as a base to send requests to other sites. In this case the browser might automatically send the cookies from the target site to the target site. This allows the XSS to impersonate the user against the target site. Details depend on attributes of the cookie (like
samesite) and kind if request (simple vs. non-simple XHR).