Posts

Showing posts from May, 2018

Benefits and limits of SameSite attribute

Image
The SameSite attribute is a cookie flag introduced in RFC6265 with the aim to mitigate cross-site requests, such as Cross-Site Request Forgery (CSRF) attacks. Some words about CSRF Cross-Site Request Forgery (CSRF) is an attack that tricks a victim, that is currently authenticated to the vulnerable website, to perform unwanted actions in the contexts of the target website. Such operations usually allow the modification of the application settings and account information. The vulnerability lies in the behaviour of browsers. In fact, browsers will automatically include session cookies while performing the HTTP request crafted by the attacker .Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish a malicious request from a legitimate one. During over a decade of web application security, developers have adopted many techniques to mitigate this vulnerability. The recommended prevention technique consists in including