Typescript Insecure Samesite Cookie Attribute
Description
Detects cookies set without proper SameSite attribute configuration in TypeScript code. Missing or improperly configured SameSite attributes can make applications vulnerable to cross-site request forgery (CSRF) attacks by allowing cookies to be sent in cross-origin requests. This poses a security risk as malicious sites could perform actions on behalf of authenticated users.
Detection Strategy
• Identifies cookie-setting operations in the code by looking for specific method calls that set or modify cookies
• Examines the arguments passed to cookie-setting methods to check if a SameSite attribute is present and properly configured
• Reports a vulnerability when cookie-setting code is found without appropriate SameSite attribute specification
Vulnerable code example
import express from 'express';
const app = express();
app.get('/login', (req, res) => {
// Vulnerable: SameSite=None allows CSRF attacks
res.setHeader('Set-Cookie', 'token=abc123; Path=/; Secure; SameSite=None');
...✅ Secure code example
import express from 'express';
const app = express();
app.get('/login', (req, res) => {
// Secure: SameSite=Lax prevents CSRF while allowing common cross-site navigation
res.setHeader('Set-Cookie', 'token=abc123; Path=/; Secure; SameSite=Lax');
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.