Cookie anti-CSRF flag without SameSite flag

By
Sooraj V Nair
Published on
19 Jun 2018
1 min read
Vulnerability
CSRF
Cookies Attributes

Cookies are used to manage state, handle logins or to track you for advertising purposes and should be kept safe. The process involved in setting cookie are:-

  1. The server asks your browser to set a cookie.
  2. It gives a name, value and other parameters.
  3. Browser stores the data in disk or memory. This feature depends on the cookie type.

The ‘anti-CSRF’ flag can be accessed easily by the attacker using some scripts. The attacker can successfully trick a victim into sending a valid request. Because of this, the server will fail to determine the attacker because it is not validating the origin. Using SamSite Cookie attribute, a developer can instruct all the browsers accessing the website to control if the cookies are sent along with the request.

Impact

Using this vulnerability, an attacker can:-

  • redirect the user to a malicious site to steal information/data.
  • show user false data which will, in turn, affect the credibility of the website.

Mitigation / Precaution

Beagle recommends setting the flag to lax and strict for maximum security.

The ‘strict’ attribute prevents a cookie from being sent by the browser to the target site in all cross-site browsing context.

        Set-Cookie: CookieName=CookieValue; SameSite=Strict;

    

The default ‘lax’ value provides a proper balance between security and usability for websites. This flag is used by applications that maintain a user’s logged-in session.

        Set-Cookie: CookieName=CookieValue; SameSite=Lax;

    
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Sooraj V Nair
Sooraj V Nair
Cyber Security Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.