Same site Cookies¶
You can practice using tools https://github.com/SmotrovaLilit/cors-sandbox
The flag same site instructs browsers how handle cookie in cross-site requests.
A cross-site request occurs when one site initiates a request to a different site
SameSite = None -> browser sends cookie in cross-site requests. SameSite=Lax -> browser does not send cookie in cross-site request. However, the browser will send the cookie during navigation when a user manually enters the URL in the browser or clicks a link to the site or follow redirects. SameSite=Strict -> browser does not send cookie in cross-site request, even during navigation when a user manually enters the URL in the browser or clicks a link to the site or follow redirects.
SameSite behaviour in chromium version 107.0.5304.110¶
Table legend¶
"+" - means that a browser will send the cookie
"-" - means that a browser will not send the cookie
Main domain is different for sites, for example http://origin.cors.com and http://permitted.cors-another.com
| Action/State | SameSite=None | Without sameSite | SameSite=Lax | SameSite=strict |
|---|---|---|---|---|
| Follow cross-site link | + | + | + | - |
| Submit form with action to the cross site link | GET: +, POST:+ | GET: +, POST:+ | GET: +, POST: - | - |
| Follow cross-site redirect | + | + | + | - |
| Fetch | + | - | - | - |
Payload to test same site behaviour¶
TODO use https://github.com/SmotrovaLilit/cors-sandbox
<html>
<head>
<script>
function sendRequests() {
// GET fetch
fetch("https://ofbiz:8443/webtools/control/security?get", {credentials:'include', mode: 'no-cors'});
// POST fetch
fetch("https://ofbiz:8443/webtools/control/security?post", {
method: 'POST',
mode: 'no-cors',
credentials: 'include',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body : "" }
).then(function(response) {
});
// Auto submiting the form
//document.forms['csrf'].submit();
return false;
}
</script>
</head>
<body onload="sendRequests();">
<form action="https://ofbiz:8443/webtools/control/security" method="get" name="csrf">
<input type="submit" value="Click here to sumbit cross-ste form">
</form>
<div>
<a href="https://ofbiz:8443/webtools/control/security?flag=userClickedLink" target="_blank">Click here to go to cross-site link</a>
</div>
</body>
</html>
<html>
<head>
<meta http-equiv="refresh" content="7; url='https://ofbiz:8443/webtools/control/security'" />
</head>
</html>
💡Notes:¶
- Some browsers will block a cookie with SameSite=None if the Secure flag is not also set.
- We need to set same site mode cookie, because default value is different in browsers and in chromium behaviour without same site is different with other modes.
Why Same site Cookie it is not enough to protect target site¶
- Not all browsers support the same site mode
- An attacker can still does malicious requests with the samesite != strict
References¶
- web200.Cross-Origin-Attacks.SameSite Cookies