Python Cookie Samesite None Set
Description
Detects when Flask cookies are configured with SameSite=None, which makes the application vulnerable to Cross-Site Request Forgery (CSRF) attacks. When cookies lack SameSite protection, they can be sent in cross-origin requests, potentially allowing attackers to perform unauthorized actions on behalf of authenticated users.
Detection Strategy
• Checks if the Flask framework is imported in the codebase
• Identifies cookie configurations in the application code
• Reports a vulnerability when cookies are explicitly set with SameSite=None
• Examines session cookie settings and configuration options in Flask applications
Vulnerable code example
from flask import Flask
app = Flask(__name__)
# Insecure: Sets SameSite=None, exposing sessions to CSRF attacks
app.config["SESSION_COOKIE_SAMESITE"] = "None"
@app.route("/")...✅ Secure code example
from flask import Flask
app = Flask(__name__)
# Set SameSite=Lax for better security against CSRF while maintaining functionality
app.config["SESSION_COOKIE_SAMESITE"] = "Lax" # Prevents CSRF attacks while allowing normal navigation
@app.route("/")...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.