Already pointed out but just to show more practical way to bypass HTTPOnly cookies take a look at XSS Tunelling - http://labs.portcullis.co.uk/application/xss-tunnelling/xss-tunnel/
Basically it’s a defense in depth approach and quite cheap to implement but obviously not the silver bullet.