Description
The SameSite attribute for sensitive cookies is not set, or an insecure value is used.
The SameSite attribute controls how cookies are sent for cross-domain requests. This attribute may have three values: 'Lax', 'Strict', or 'None'. If the 'None' value is used, a website may create a cross-domain POST HTTP request to another website, and the browser automatically adds cookies to this request. This may lead to Cross-Site-Request-Forgery (CSRF) attacks if there are no additional protections in place (such as Anti-CSRF tokens).
Potential Impact
Confidentiality, Integrity, Non-Repudiation, Access Control
Modify Application Data
Demonstrative Examples
let sessionId = generateSessionId()
let cookieOptions = { domain: 'example.com' }
response.cookie('sessionid', sessionId, cookieOptions)<html>
<form id=evil action="http://local:3002/setEmail" method="POST">
<input type="hidden" name="newEmail" value="[email protected]" />
</form>
<script>evil.submit()</script>
</html>let sessionId = generateSessionId()
let cookieOptions = { domain: 'example.com', sameSite: 'Strict' }
response.cookie('sessionid', sessionId, cookieOptions)Mitigations & Prevention
Set the SameSite attribute of a sensitive cookie to 'Lax' or 'Strict'. This instructs the browser to apply this cookie only to same-domain requests, which provides a good Defense in Depth against CSRF attacks. When the 'Lax' value is in use, cookies are also sent for top-level cross-domain navigation via HTTP GET, HEAD, OPTIONS, and TRACE methods, but not for other HTTP methods that are more like to cause side-effects of state mutation.
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2022-24045 | Web application for a room automation system has client-side JavaScript that sets a sensitive cookie without the SameSite security attribute, allowing the cookie to be sniffed |
Related Weaknesses
Frequently Asked Questions
What is CWE-1275?
CWE-1275 (Sensitive Cookie with Improper SameSite Attribute) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The SameSite attribute for sensitive cookies is not set, or an insecure value is used.
How can CWE-1275 be exploited?
Attackers can exploit CWE-1275 (Sensitive Cookie with Improper SameSite Attribute) to modify application data. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-1275?
Key mitigations include: Set the SameSite attribute of a sensitive cookie to 'Lax' or 'Strict'. This instructs the browser to apply this cookie only to same-domain requests, which provides a good Defense in Depth against CSRF
What is the severity of CWE-1275?
CWE-1275 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 1 real-world CVEs.