Search
Modern Browser Defenses
2 min read

Modern Browser Defenses

Zinhart's Picture
Zinhart in notes awae

Table of Contents

Modern Browser Defenses Against Cookie Theft

CORS relaxes SOP.
With overly permissive CORS headers, which we can validate with an options request, if there is a SameSite attribute on session related cookies depending on the endpoints the application exposes it may be possible to phish a users cookie using CSRF.

Browser Policies

See SOP.

Server Side Controls

See CORS.

HTTPOnly

The presence of the HTTPOnly flag on a cookie prevents us from stealing a users session. Specifically it blockes us from accessing document.cookie in our javascript payloads.

Secure Flag

The Secure Flag is used to declare that a cookie may only be transmitted using a secure connection (SSL/HTTPS). This flag prevents cookie theft via man in the middle attacks.
As a side note, if this flag is set on an http connection the browser ignores it.

SameSite Flag

The SameSite flag is an attribute of the Set-Cookie header. It is used to declare when web browsers should send the cookie, depending on how a visitor interacts with the site that set the cookie. This flag is used to help protect against cross-site request forgery (CSRF) attacks. The SameSite attribute may have one of the following values:

  • SameSite=Strict: The cookie is only sent if you are currently on the site that the cookie is set for. If you are on a different site and you click a link to a site that the cookie is set for, the cookie is not sent with the first request.
  • SameSite=Lax: The cookie is not sent for embedded content (e.g not scripts or images) but it is sent if you click on a link to a site that the cookie is set for. It is sent only with safe request types that do not change state, for example, GET, HEAD, OPTIONS.
  • Samesite=None: Cookies will be sent in all contexts e.g when navigating, when loading images, and when loading iframes. The None value requires the Secure attribute which ensures the cookie is only sent via HTTPS.
    So when the default value of the Samesite attribute in a browser is None, the user visiting that page might be vulnerable to CSRF.

You may also like

XXE Injections
1 min read

XXE Injections

Abusing XML Parsers

Zinhart's Picture
Zinhart in notes xxe awae
Server Side Request Forgery
1 min read

Server Side Request Forgery

API Architecture, SSRF, MicroServices

Zinhart's Picture
Zinhart in notes ssrf awae
Network Modeling
1 min read

Network Modeling

Classless Internet Domain Routing

Zinhart's Picture
Zinhart in notes networking awae

Latest Posts

XXE Injections
1 min read

XXE Injections

Zinhart's Picture
Zinhart
Server Side Request Forgery
1 min read

Server Side Request Forgery

Zinhart's Picture
Zinhart

Explore Tags

Active Directory Backups Disk Encryption VM's active directory anti virus awae ciphers code code-analysis csrf devops embedded programing firewall evasion group policy jokes network pentesting networking notes offensive-security oscp oswe-notes payload-encoding pentesting pentesting methodology session-manipulation shells social engineering sqli ssh tunneling ssl-certificates ssrf system administration vagrant web development windows work xss xxe