SameSite Not Set


Description

The application uses a cookie that is set without the SameSite flag. The SameSite flag is a browser-based standard introduced by Google in 2016 that instructs browsers to prevent cookies from being sent in cross-site requests. Restricting cookies to their initial origin mitigates the risk of cross-site request forgery (CSRF) and information leakage attacks. The SameSite flag, which has not been fully adopted by all browsers, has been defined in a draft update to RFC 6265, which is the modern day standard for state management.

Custom Description

The following cookies were identified without the SameSite flag:

[Insert cookies]

Impact

Without the SameSite flag, the application may be vulnerable to cross site request forgery (CSRF) and cross origin information leakage attacks since the browser will send cookies across origins. An attacker can use these attacks to trick a user into performing an action or into leaking sensitive data. However, since this is a relatively new cookie attribute and is not accepted by all browsers, it should be implemented as a defense-in-depth approach and not used as a standalone remedy for these attacks. When considered as an additional layer of security to traditional CSRF defenses, the impact of not implementing this attribute is minimal.

Risk Rating 

Likelihood – Low

Impact – Low

Overall Risk – Best Practice

Remediation

Configure the application to set the SameSite flag. As this is a relatively new cookie attribute, the flag may need to be set programatically by code on the server side. Set the attribute as such:

Set-Cookie: CookieName=CookieValue; SameSite=Strict;

The SameSite attribute can be set with two values:

  • Strict – The cookie is not sent with any cross-site requests, even if the user follows a link to a third party site.
  • Lax – The cookie is sent with a top-level GET request, such as a user following a link to a third party site.

Since the SameSite flag is not implemented by all browsers, continue to deploy standard defenses for CSRF and information leakage attacks. In addition, the SameSite flag won’t prevent CSRF that occurs within a single origin or through an XSS attack.

How to Test

Manual

  1. Capture an HTTP response where a cookie is set in Burp Proxy as shown in the screenshot below and inspect it for the presence of the SameSite flag. In Burp Proxy under the HTTP History tab, sort the rows by the Cookies column in order to find responses that have cookies being set.

Sample Report Screenshots

Time Saving Tips

Use Burp’s search function to search for the keyword “samesite” within the scope.

Gotchas

Since this is a relatively new attribute that is not accepted by all browsers (see here), we only issue this as a best practice finding. We consider this a defense-in-depth type of recommendation that should not be relied on to prevent CSRF. If an application could be subject to CSRF attacks, we still recommend the standard mitigations to prevent the attack. Nevertheless, we love the simplicity of this flag and we look forward to it making CSRF less relevant in the future.

References

OWASP – https://www.owasp.org/index.php/SameSite

Draft RFC – http://httpwg.org/http-extensions/draft-ietf-httpbis-cookie-same-site.html

Caniuse – https://caniuse.com/#search=samesite

Want access to the full AppSec Findings Database? Click here to subscribe today.

 

Discussion

Have a thought or question? Leave a comment below.

 

Leave a Reply