Cookies are used to manage state, handle logins or to track you for advertising purposes and should be kept safe. The process involved in setting cookie are:-
- The server asks your browser to set a cookie.
- It gives a name, value and other parameters.
- Browser stores the data in disk or memory. This feature depends on the cookie type.
SameSite prevents a browser from causing cross-site scripting attacks. The main goal of this flag is to reduce the chance of cross-origin information leakage to zero. It additionally provides some protection against attacks like cross-site request forgery attacks.
The goals of the SameSite flag are to Prevent:
- cross-origin timing attacks
- cross-origin script inclusion
- CSRF
- limited privacy protection
The possible values for this flag are lax or strict.
Impact
Using this vulnerability, an attacker can:-
- redirect the user to a malicious site to steal information/data.
- show user false data which will, in turn, affect the credibility of the website.
Mitigation / Precaution
Beagle recommends setting the flag to lax and strict for maximum security. The ‘strict’ attribute prevents a cookie from being sent by the browser to the target site in all cross-site browsing context. The default ‘lax’ value provides a proper balance between security and usability for websites. This flag is used by applications that maintain a user’s logged-in session.
