About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Bypass SameSite Cookies Default to Lax and get CSRF- 377

RenwaPosted 5 Years Ago
  • The SameSite cookie flag is a protection meant to protect users against CSRF at the browser-level instead of the server-side level. This cookie flag that only parties from the first-domain (google.com to google.com) can send cookies off.
  • Recently (beginning of 2020), browsers have decided to have the SameSite cookie attribute to default to Lax (instead of None) in order to try to kill off the CSRF attack. But, with one special quirk...
  • Cookies set within the last two minutes without the SameSite flag will NOT abide by this rule. This is in order to give developers time to fix the login flows on a bulk of websites while limiting the damage greatly.
  • The author mentions this functionality, named LAX + POST, is temporary. But, as of January of 2021, it appears that nothing has changed.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed