Samesite by Default and What It Means for Bug Bounty Hunters

31 January 2020

You have probably heard of the SameSite attribute addition to HTTP cookies since Chrome 51 (and a specification thereafter). It was advertised as a CSRF killer. This attribute is going to be set by default for all cookies in Chrome 80 (February 4, 2020). We will explore what it truly means and if it really kills CSRF.

After the update, all cookies without an explicit SameSite attribute will be treated as having SameSite=Lax . This means cross-origin requests no longer carry cookies, except for top-level navigations.

While this may come as sad news to bug bounty hunters, modern webapp frameworks have already largely mitigated CSRF so this doesn’t seem that bad — CSRF is no longer in the OWASP Top 10.

This begs the question: Is CSRF the only bug class that relies on authenticated cross-origin requests?

It turns out, there are a few other client-side vulnerabilities that require cookies to be present in cross-origin requests. A lot of online articles highlight the effects on CSRF but fail to mention the other impacted vulnerabilities. Below are a few bug classes that will be affected by the introduction of SameSite by default.

Clickjacking

To make Clickjacking work, the victim needs to be authenticated in an iframe embedded in the attacker’s page. Since the iframe is making a cross-origin request, by dropping cookies, the victim will not be authenticated, and hence the attack will fail. Clickjacking is still a threat for Single Page Applications (SPAs) that store session ID/access tokens in localStorage or sessionStorage .

Cross-Site Script Inclusion

To exploit XSSI, an attacker embeds an authenticated cross-origin subresource that contains sensitive data of the victim. The response may not be a JavaScript file but browsers still try to parse it for compatibility reasons. Again this involves issuing a cross-origin request to fetch an authenticated subresource so this attack will not work. It is worth noting that CORB has partially addressed this type of vulnerability, but the SameSite update is the final nail in the coffin.

JSONP Leaks

Although they are a subset of XSSI, JSONP leaks may still work in specific scenarios. This is because JSONP is intended to be used cross-origin, and hence site owners will undo SameSite on cookies. Cases where an adversary exploits accidental JSONP support by middleware (adding ?callback= to an endpoint) will be eliminated.

Data Exfiltration

This bug category abuses different techniques to bypass SOP. Examples include CSS Exfiltration and SOP bypass on browser level. These examples are affected in the same way as XSSI — cross-origin requests are no longer authenticated.

XSLeaks

XSLeaks will be affected for the same reason as XSSI. That being said, certain side-channel techniques via window.open may still work since those are considered top-level navigation.

CORS Misconfigurations

CORS misconfigurations may be the least affected vulnerability class mentioned here because CORS is meant to be used cross-origin, as the name suggests. When developers intentionally enable CORS they will be circumventing the SameSite attribute and allowing authenticated cross-origin requests. Keep in mind though, even when intentionally enabled, most exploitable cases consist of a white-list bypass as we have seen in the past. Attacks that rely on sites that have accidentally enabled CORS are most likely going to be affected by SameSite=Lax because it will force the request to drop the cookies.

Cross-Site WebSocket Hijacking

Much like CSRF, CSWSH is where a page can establish a cross-origin connection but via a WebSocket. This bug class will be impacted by the introduction of SameSite by default.

XSS

XSS is affected when an exploit chain involves a cross-origin response. For instance, when attempting to bypass a CSP via an authenticated JSONP endpoint or RPO via Open Redirect not under attackers’ control.

The list is, of course, not conclusive as there are many variations based on similar techniques.

To recapitulate, the following table illustrates how badly affected each vulnerability type listed above is:

Vulnerability Type Affected by SameSite Clickjacking 😦Partly Dead XSSI ☠️Totally Dead JSONP Leaks 😦Partly Dead Data Exfiltration ☠️Totally Dead XSLeaks 😵Mostly Dead CORS Misconfigurations 😃Mostly Fine Cross-Site WebSocket Hijacking ☠️Totally Dead XSS 😃Mostly Fine

End of an Era?

The “Interwebz” has been working on the assumption that cookies are sent in cross-origin requests by default, so this change is likely going to break a lot of functionality. In fact, the SameSite update has already affected Microsoft Login.

Chrome monkey-patched it by allowing cookies to be sent on top-level cross-site POST requests if they are at most 2 minutes old. @RenwaX23 wrote an excellent article explaining how to abuse this temporary behavior.

The good news is legacy applications are likely going to offset the change themselves.

As much as I'd like to retire, I'd guess that once the dust settles a large number of the applications worth attacking will set `SameSite=none`, so don't write off CSRF / XS-Leaks just yet :) https://t.co/EjLLBPvqCb — Artur Janc (@arturjanc) January 25, 2020

In addition, other modern technologies may be forced to offset the change.

SameSite=Lax cookie issues imminent for AMP-enabled websites since the AMP cache loads under a faux first party: https://t.co/MQsEhV6GLi — John Wilander (@johnwilander) January 27, 2020

And lastly, browser support for SameSite by default vary as illustrated below.