Benefits and limits of SameSite attribute

The SameSite attribute is a cookie flag introduced in RFC6265 with the aim to mitigate cross-site requests, such as Cross-Site Request Forgery (CSRF) attacks.

Some words about CSRF


Cross-Site Request Forgery (CSRF) is an attack that tricks a victim, that is currently authenticated to the vulnerable website, to perform unwanted actions in the contexts of the target website. Such operations usually allow the modification of the application settings and account information.
The vulnerability lies in the behaviour of browsers. In fact, browsers will automatically include session cookies while performing the HTTP request crafted by the attacker .Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish a malicious request from a legitimate one.

During over a decade of web application security, developers have adopted many techniques to mitigate this vulnerability.
The recommended prevention technique consists in including  for each HTTP request the so called anti-CSRF tokens, which are unique values, randomly generated and verified server-side.
Nowadays most of the web frameworks natively offer the support for managing the generation and verification of this security tokens.

All you need to know about SameSite attribute


SameSite cookies are a convenient way to defend against a variety of attacks that leverage cross-origin requests because they are the easiest migitation technique to deploy.

There are two values for this flag:

Strict: a cookie released with this value will not be sent along with none type of HTTP requests (i.e. POST, GET with no Top level change, GET with Top level change) originated by third party websites. Therefore, this is the most effective way to use SameSite attribute to prevent CSRF attacks.
However, this value has the downfall of negative usability impact since a user following legitimate links to other section of the hardened web application will result in a new login phase for that particular request (because session cookies have not been included by the browser).

Lax: a cookie released with this value will not be sent along POST and GET request initiated by third party website, unless the GET request causes a top level navigation change. A top level navigation change corresponds to a modification of the URL displayed in the address bar.

A quick reference table for some cases is the following:

A list of HTTP request type 

Value of SameSite that allows CSRF

link tag‘None’, ‘Lax’
form via GET action‘None’, ‘Lax’
form via POST action‘None’
iframe tag‘None’
image tag‘None’
Ajax request‘None’
Note: value 'None' corresponds to a cookie released with no SameSite attribute.

Demo for some scenarios

Let’s cover two test cases showing the situations in which Lax value does prevent CSRF and when it does not. 

Quick setup

For this purpose I will consider the dockerized version of DVWA and Burp Suite proxy.

The vulnerable section we consider in this demo

In the developer console shown above, we see that the session cookie PHPSESSID of DVWA is not released with SameSite because it is non implemented in the source code for this web application. Of course we can modify the response on-the-fly with Burp proxy and ship PHPSESSID with SameSite flag :-), see below.

SameSite=Lax; has been added in the HTTP response intercepted via proxy

Now the session cookie has SameSite attribute set with value ‘Lax’

And now everything is ready for the demo.

1. Lax value against CSRF via image tag (no Top level navigation change):
The PoC of this test case is:

<html>
  <img src="http://TARGET /vulnerabilities/csrf/?password_new=aaa&password_conf=aaa&Change=Change">
</html>

A webpage prepared by an attacker with this HTML code is visited by an authenticated victim of DVWA and as soon as he visits the crafted page, what we see outgoing from the browser is the following:

The session coookie PHPSESSID is not sent along the cross-site request

As we see, the PHPSESSID session cookie is not sent in the cross-site request. This occurs because the image tag does not cause a top level navigation change in the address bar.
Therefore, the action will fail and the SameSite cookie has denied a CSRF attack.

2. Lax value against CSRF via form GET action (Top level navigation change):
THe PoC of this test case is:

<html>
   <body onload="document.forms[0].submit();">
      <form action="http://172.17.48.226/vulnerabilities/csrf/">
         <input type="hidden" name="password_new" value="aaa" />
         <input type="hidden" name="password_conf" value="aaa" />
         <input type="hidden" name="Change" value="Change" />
      </form>
   </body>
</html>
 
The session cookie is sent along with the cross-site request

As we see, the PHPSESSID has been sent even with the SameSite attribute set to ‘Lax’.
This is because, after the execution of the above PoC, the URL displayed in the address bar is now that of the vulnerable application (a top level navigation change has taken place):

After the request the URL in the address bar has changed

Conclusion

SameSite is a quickly deployable fix that addresses an old vulnerability. However,this security attribute is not supported on all browsers (see here for current widespread). Therefore, it has to be deployed only alongside well known mitigation techniques such as anti-CSRF tokens.

Comments

Popular posts from this blog

Abusing Windows 10 Narrator's 'Feedback-Hub' URI for Fileless Persistence

WPA2-PSK vs WPA2-Enterprise: hacking and hardening

Management Frame Protection and its limitations