Skip to main content Link Search Menu Expand Document (external link)
SameSite Wiki

SameSite Wiki

Stable

SameSite Policy Bypass

This article lists threats and techniques that attackers can leverage to bypass SameSite cookies. Note that SameSite policies can also be circumvented via Policy Downgrades due to inconsistent configuration.

Single Sign-On HTTP Redirects Bypass

The Lax+POST exceptional policy provides a time window of two minutes where Lax protection is not enforced, which is counted starting from the time of setting of a cookie. A possible attack consists of installing new cookies using cross-site requests and using the two-minute window to exploit XS vulnerabilities. Fresh cookies could be installed, for example, by abusing Single Sign-On Identity Providers (IdPs) that allow for user auto re-login via HTTP GET requests and without requiring user interaction like CAPTCHAs[1].

The attack against a target site is the following. First, the attacker convinces a user to visit an attack page. Via the window.open() API, the page asks the IdP to re-login the user at the target site. As a result of the SSO login, the target site establishes a new authenticated session with the user’s browser. Since the cookie is not older than two minutes, Lax protection of the target site is not enforced, enabling the attacker to mount XS attacks.

References

  1. Renwa, Bypass SameSite Cookies Default to Lax and get CSRF. Link