Go Gin Insecure Samesite Cookie Attribute
Description
This detector identifies insecure SameSite cookie configurations in Go applications using the Gin web framework. When cookies are set with SameSite=None without proper security attributes, they become vulnerable to Cross-Site Request Forgery (CSRF) attacks and may be transmitted in cross-site contexts without user consent.
Detection Strategy
• The application imports the Gin web framework (github.com/gin-gonic/gin)
• Code contains a call to SetCookie method on a Gin context object
• The cookie configuration is determined to be insecure based on its parameters
• The execution path includes setting SameSite attribute to None
• The cookie lacks additional security protections typically required when using SameSite=None
Vulnerable code example
package main
import (
"net/http"
"github.com/gin-gonic/gin"
)
func handler(c *gin.Context) {...✅ Secure code example
package main
import (
"net/http"
"github.com/gin-gonic/gin"
)
func handler(c *gin.Context) {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.