Cookie Without SameSite Attribute
Reference
Plugin Id: 10054 | CWE: 1275
Remediation
To remediate the vulnerability of “Cookie Without SameSite Attribute,” the SameSite attribute should be added to the cookie. The SameSite attribute is an effective countermeasure to cross-site request forgery (CSRF), cross-site script inclusion (XSSI), and timing attacks. By setting the SameSite attribute to “Strict” or “Lax,” the cookie will only be sent in a first-party context, preventing it from being sent in a cross-site request.
To add the SameSite attribute to a cookie, the following steps can be taken:
-
Identify the cookies: Identify the cookies that need to have the SameSite attribute added.
-
Update the cookie settings: Update the cookie settings to include the SameSite attribute with a value of “Strict” or “Lax.” The “Strict” value ensures that the cookie is only sent in a first-party context, while the “Lax” value allows the cookie to be sent in a cross-site context if it is triggered by a top-level navigation.
Example configuration in PHP:
setcookie('cookie_name', 'cookie_value', ['SameSite' => 'Strict']);
Example configuration in JavaScript:
document.cookie = 'cookie_name=cookie_value; SameSite=Strict';
-
Test and verify: Test the application to ensure that the SameSite attribute has been added to the cookies and that they are only sent in the appropriate context.
About
The vulnerability of “Cookie Without SameSite Attribute” occurs when a cookie is set without the SameSite attribute. This attribute is used to control how cookies are sent in cross-site requests. Without the SameSite attribute, the cookie can be sent as a result of a “cross-site” request, which can lead to security vulnerabilities such as CSRF, XSSI, and timing attacks.
The SameSite attribute can be set to two values:
- Strict: The cookie will only be sent in a first-party context, meaning it will not be sent in a cross-site request.
- Lax: The cookie will be sent in a cross-site context if it is triggered by a top-level navigation. This is the default behavior if the SameSite attribute is not specified.
By adding the SameSite attribute to cookies, web applications can protect against CSRF attacks, prevent the inclusion of malicious scripts from other domains, and mitigate timing attacks.
Risks
The risks associated with the vulnerability of “Cookie Without SameSite Attribute” include:
-
Cross-Site Request Forgery (CSRF): Without the SameSite attribute, cookies can be sent in cross-site requests, making the application vulnerable to CSRF attacks. Attackers can trick users into performing unintended actions on the application by exploiting the trust between the user’s browser and the application.
-
Cross-Site Script Inclusion (XSSI): Cookies without the SameSite attribute can be included in cross-site requests, allowing attackers to include malicious scripts from other domains. This can lead to the execution of unauthorized actions or the theft of sensitive information.
-
Timing Attacks: Timing attacks can be performed by analyzing the timing of requests and responses. Without the SameSite attribute, cookies can be sent in cross-site requests, potentially exposing sensitive information or allowing attackers to gather information about the application’s behavior.
By adding the SameSite attribute to cookies, these risks can be mitigated, ensuring that cookies are only sent in a first-party context and protecting the application from CSRF, XSSI, and timing attacks.