Part 2: SameSite Attribute 

Part 2: SameSite Attribute 

In part 1 we looked at the SameSite attribute, here we will run through a quick demo of an CSRF (Cross site request forgery) attack being performed with Chrome’s enforcement enabled.

Note: when attempting this on the latest version of Chrome (version 80 at the time of writing) it didn’t work. The following reference here says this change will be in place later on in February. This meant that currently this feature had to be enabled via chrome://flags/#same-site-by-default-cookies. To try this yourself please go to http://samesite-demo.herokuapp.com/.

This demo application provides the following greeting page when first visited with no cookie set:

Samesite Graphic 1

Simply entering a name and clicking “Set Name” will set the cookie “name” with this value that is entered:

Samesite Graphic 2
Viewing this in the browser shows the SameSite attribute is not set. Thus, Chrome will treat this as Lax, except for the 2-minute exception:

Samesite Graphic 3 

Now, there is a change feature which simply changes the name value with what is again entered:

Samesite Graphic 4

This shows that it has been changed:

Samesite Graphic 5

This change feature performs a POST request to “change.php” using the name attribute with the value name. So, creating a simple CSRF Proof of Concept (POC) with the following that automatically submits the form when visited:

Samesite Graphic 6

When visited, this gets issued and the change gets made. At this same time Chrome shows a message advising the 2-minute exception is in place. Thus, this being allowed:

Samesite Graphic 7
Changing the POC slightly, in this case changing the value to “csrf2”:

Samesite Graphic 8

When visiting this csrf.html POC again, after the 2-minute exception, the page now shows “No cookie found”. This means that the cookie wasn’t include in this second CSRF request. Furthermore, Chrome shows a message indicating the cookie was blocked due to not having the SameSite attribute with the value “None”, along with the Secure attribute set. 

Samesite Graphic 9

When using Chrome for now, until later on in February, CSRF will still be allowed. Once default and providing developers don’t set the SameSite attribute explicitly, CSRF’s will have its limitations. However, when the use of the SameSite attribute is used, CSRF’s may still be performed depending on how developers explicitly set the cookies (e.g. Setting a cookie has SameSite=None and Secure when it doesn’t need to be).