Samesite by Default and What It Means for Bug Bounty Hunters
31 January 2020
You have probably heard of the
SameSite attribute addition to HTTP cookies since Chrome 51 (and a specification thereafter). It was advertised as a CSRF killer. This attribute is going to be set by default for all cookies in Chrome 80 (February 4, 2020). We will explore what it truly means and if it really kills CSRF.
After the update, all cookies without an explicit
SameSite attribute will be treated as having
SameSite=Lax. This means cross-origin requests no longer carry cookies, except for top-level navigations.
While this may come as sad news to bug bounty hunters, modern webapp frameworks have already largely mitigated CSRF so this doesn’t seem that bad — CSRF is no longer in the OWASP Top 10.
This begs the question: Is CSRF the only bug class that relies on authenticated cross-origin requests?
It turns out, there are a few other client-side vulnerabilities that require cookies to be present in cross-origin requests. A lot of online articles highlight the effects on CSRF but fail to mention the other impacted vulnerabilities. Below are a few bug classes that will be affected by the introduction of
SameSite by default.
To make Clickjacking work, the victim needs to be authenticated in an iframe embedded in the attacker’s page. Since the iframe is making a cross-origin request, by dropping cookies, the victim will not be authenticated, and hence the attack will fail. Clickjacking is still a threat for Single Page Applications (SPAs) that store session ID/access tokens in
Cross-Site Script Inclusion
SameSite update is the final nail in the coffin.
Although they are a subset of XSSI, JSONP leaks may still work in specific scenarios. This is because JSONP is intended to be used cross-origin, and hence site owners will undo
SameSite on cookies. Cases where an adversary exploits accidental JSONP support by middleware (adding
?callback= to an endpoint) will be eliminated.
This bug category abuses different techniques to bypass SOP. Examples include CSS Exfiltration and SOP bypass on browser level. These examples are affected in the same way as XSSI — cross-origin requests are no longer authenticated.
XSLeaks will be affected for the same reason as XSSI. That being said, certain side-channel techniques via
window.open may still work since those are considered top-level navigation.
CORS misconfigurations may be the least affected vulnerability class mentioned here because CORS is meant to be used cross-origin, as the name suggests. When developers intentionally enable CORS they will be circumventing the
SameSite attribute and allowing authenticated cross-origin requests. Keep in mind though, even when intentionally enabled, most exploitable cases consist of a white-list bypass as we have seen in the past. Attacks that rely on sites that have accidentally enabled CORS are most likely going to be affected by
SameSite=Lax because it will force the request to drop the cookies.
Cross-Site WebSocket Hijacking
Much like CSRF, CSWSH is where a page can establish a cross-origin connection but via a WebSocket. This bug class will be impacted by the introduction of
SameSite by default.
XSS is affected when an exploit chain involves a cross-origin response. For instance, when attempting to bypass a CSP via an authenticated JSONP endpoint or RPO via Open Redirect not under attackers’ control.
The list is, of course, not conclusive as there are many variations based on similar techniques.
To recapitulate, the following table illustrates how badly affected each vulnerability type listed above is:
|Vulnerability Type||Affected by SameSite|
|JSONP Leaks||😦Partly Dead|
|Data Exfiltration||☠️Totally Dead|
|CORS Misconfigurations||😃Mostly Fine|
|Cross-Site WebSocket Hijacking||☠️Totally Dead|
End of an Era?
The “Interwebz” has been working on the assumption that cookies are sent in cross-origin requests by default, so this change is likely going to break a lot of functionality. In fact, the
SameSite update has already affected Microsoft Login.
Chrome monkey-patched it by allowing cookies to be sent on top-level cross-site POST requests if they are at most 2 minutes old. @RenwaX23 wrote an excellent article explaining how to abuse this temporary behavior.
The good news is legacy applications are likely going to offset the change themselves.
As much as I'd like to retire, I'd guess that once the dust settles a large number of the applications worth attacking will set `SameSite=none`, so don't write off CSRF / XS-Leaks just yet :) https://t.co/EjLLBPvqCb— Artur Janc (@arturjanc) January 25, 2020
In addition, other modern technologies may be forced to offset the change.
SameSite=Lax cookie issues imminent for AMP-enabled websites since the AMP cache loads under a faux first party: https://t.co/MQsEhV6GLi— John Wilander (@johnwilander) January 27, 2020
And lastly, browser support for
SameSite by default vary as illustrated below.
|Edge||🧪Experimenting the change in Canary/Dev channels|
|Internet Explorer||❌No Signals|
For now, it is safe to say while CSRF and other client-side vulnerabilities may be affected by the
SameSite feature, they are not completely dead, because it may be a while before sites are fully prepared for the change. Bug bounty hunters may still enjoy the last bit of this Internet antiquity until the time comes.