Cookie with SameSite Attribute None, evidence empty
165 views
Skip to first unread message
Adam Groszer
Oct 25, 2021, 10:08:48 AM10/25/21
to OWASP ZAP User Group
Hi,
Description
URL
https://app.shoobx.com/
Method
GET
Parameter
Attack
Evidence
URL
https://app.shoobx.com/robots.txt
Method
GET
Parameter
Attack
Evidence
Instances
2
Solution
Reference
https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site
CWE Id
1275
WASC Id
13
Plugin Id
10054
I get here a finding:
Low
Cookie with SameSite Attribute None
Description
A cookie has been set with its SameSite attribute set to
"none", which means that the cookie can be sent as a result of a
'cross-site' request. The SameSite attribute is an effective counter
measure to cross-site request forgery, cross-site script inclusion, and
timing attacks.
URL
https://app.shoobx.com/
Method
GET
Parameter
Attack
Evidence
URL
https://app.shoobx.com/robots.txt
Method
GET
Parameter
Attack
Evidence
Instances
2
Solution
Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.
Reference
https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site
CWE Id
1275
WASC Id
13
Plugin Id
10054
AFAICS it tries to point me to a cookie, but which one? Evidence is empty.
Is it me or is it a bug?
Reply all
Reply to author
Forward
0 new messages