##Description
We were able to identify endpoint which prints request headers into the page. This included sensitive HTTPOnly session cookies which shouldn’t be accessible in the DOM.
##POC
https://█████████/csstest
███████
There will be JSESSIONID
cookie reflected.
##Suggested fix
Remove the page, it’s content, or restrict access to it.
This in combination with any XSS attack will result in session cookie steal and likely authentication bypass (by default this isn’t possible because XSS can’t access HTTPOnly cookies), since attacker can request /csstest
page with XSS and read the response.
We will try to find one and chain the vulns together.