Cookie anti-CSRF flag without SameSite flag

Cookies are used to manage state, handle logins or to track you for advertising purposes and should be kept safe. The process involved in setting cookie are:-

1. The server asks your browser to set a cookie.
2. It gives a name, value and other parameters.
3. Browser stores the data in disk or memory. This feature depends on the cookie type.

The ‘anti-CSRF’ flag can be accessed easily by the attacker using some scripts. The attacker can successfully trick a victim into sending a valid request. Because of this, the server will fail to determine the attacker because it is not validating the origin. Using SamSite Cookie attribute, a developer can instruct all the browsers accessing the website to control if the cookies are sent along with the request.

Impact

Using this vulnerability, an attacker can:-

• redirect the user to a malicious site to steal information/data.
• show user false data which will, in turn, affect the credibility of the website.

Mitigation / Precaution

Beagle recommends setting the flag to lax and strict for maximum security.

The ‘strict’ attribute prevents a cookie from being sent by the browser to the target site in all cross-site browsing context.

        Set-Cookie: CookieName=CookieValue; SameSite=Strict;

    

The default ‘lax’ value provides a proper balance between security and usability for websites. This flag is used by applications that maintain a user’s logged-in session.

        Set-Cookie: CookieName=CookieValue; SameSite=Lax;

    

Written by

Sooraj V Nair

Cyber Security Engineer