Javascript Insecure Samesite Cookie Attribute

Description

Detects JavaScript code that sets cookies with insecure SameSite attributes. SameSite attribute helps prevent CSRF attacks by controlling how cookies are sent in cross-site requests. Missing or improperly configured SameSite attributes can expose applications to cross-site request forgery attacks.

Weakness:

129 - Insecurely generated cookies - SameSite

Category: Access Subversion

Detection Strategy

• Check calls to cookie-setting methods like document.cookie or methods that set cookie attributes

• Inspect cookie configuration arguments to identify SameSite attribute settings

• Report vulnerability when cookies are set without SameSite attribute or with insecure values like 'None' without secure flag

• Flag cookie operations that don't explicitly set strict SameSite protections

Vulnerable code example

import express from 'express';
const app = express();

app.get('/login', (req, res) => {
  // Vulnerable: SameSite=None allows CSRF attacks
  res.setHeader('Set-Cookie', 'token=abc123; Path=/; Secure; SameSite=None');
  res.send('Cookie set');
});

✅ Secure code example

import express from 'express';
const app = express();

// Method 1: Using raw header with SameSite=Lax (recommended default)
app.get('/login', (req, res) => {
  // Safe: SameSite=Lax prevents CSRF while allowing common use cases
  res.setHeader('Set-Cookie', 'token=abc123; Path=/; Secure; SameSite=Lax');
  res.send('Cookie set');...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.