HttpOnly cookie can only be stealed if the client reflects the cookie in the response at some point. You can make an XHR request to steal the cookie. Although it is not related to the HttpOnly flag, another way is if the application is using JWT for authentication/authorization, you can read it from Local Storage.