Java Samesite None Set
Description
Detects Spring Framework configurations that explicitly set cookie SameSite attribute to 'None'. This makes cookies accessible in cross-site requests, potentially exposing the application to CSRF (Cross-Site Request Forgery) attacks since cookies will be sent with requests from any domain.
Detection Strategy
• Scan Java properties files for cookie configuration settings
• Look for property key 'server.servlet.session.cookie.same-site' (case insensitive)
• Check if the corresponding value is set to 'none' (case insensitive)
• Report vulnerability when both conditions are met
Vulnerable code example
# Application properties configuration
spring.server.servlet.session.cookie.same-site=None # Vulnerable: SameSite=None allows cross-site requests, enabling CSRF attacks
spring.server.servlet.session.cookie.secure=false # Compounds vulnerability by allowing non-HTTPS connections✅ Secure code example
# Application properties configuration
spring.server.servlet.session.cookie.same-site=Strict # Strict SameSite policy prevents CSRF by blocking cross-site requests
spring.server.servlet.session.cookie.secure=true # Ensures cookies only sent over HTTPS
# Additional security hardening
spring.server.servlet.session.cookie.http-only=true # Prevents JavaScript access to cookies
spring.server.servlet.session.timeout=30m # Sets session timeout to 30 minutesSearch for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.