Cookies SameSite flag invalid

By
Nash N Sulthan
Published on
19 Jun 2018
1 min read
Vulnerability
Cookies Attributes

Cookies are used to manage state, handle logins or to track you for advertising purposes and should be kept safe. The process involved in setting cookie are:-

  1. The server asks your browser to set a cookie.
  2. It gives a name, value and other parameters.
  3. Browser stores the data in disk or memory. This feature depends on the cookie type.

SameSite prevents a browser from causing cross-site scripting attacks. The main goal of this flag is to reduce the chance of cross-origin information leakage to zero. It additionally provides some protection against attacks like cross-site request forgery attacks.

The goals of the SameSite flag are to Prevent:

  • cross-origin timing attacks
  • cross-origin script inclusion
  • CSRF
  • limited privacy protection

The possible values for this flag are lax or strict.

Impact

Using this vulnerability, an attacker can:-

  • redirect the user to a malicious site to steal information/data.
  • show user false data which will, in turn, affect the credibility of the website.

Mitigation / Precaution

Beagle recommends setting the flag to lax and strict for maximum security. The ‘strict’ attribute prevents a cookie from being sent by the browser to the target site in all cross-site browsing context. The default ‘lax’ value provides a proper balance between security and usability for websites. This flag is used by applications that maintain a user’s logged-in session.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Nash N Sulthan
Nash N Sulthan
Cyber Security Lead Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.