DerScanner
Home / Vulnerability Database / Config files : Cookie: SameSite None - Cross-Origin Requests allowed not over SSL
Config files

Config files : Cookie: SameSite None - Cross-Origin Requests allowed not over SSL

Classification

OWASP Mobile Top 10 2016
M3-Insecure CommunicationM4-Insecure Authentication
OWASP Top 10 2017
A2-Broken AuthenticationA3-Sensitive Data Exposure
OWASP Top 10 2021
A2-Cryptographic FailuresA4-Insecure DesignA7-Identification and Authentication Failures
OWASP ASVS
Session Management
PCI DSS 4.0
11.6.1
CWE
CWE-311CWE-352CWE-614CWE-1275
CWE/SANS Top 25 2011
CWE-311CWE-352
CWE/SANS Top 25 2021
CWE-352

Overview

The application creates cookies and allows cross-origin requests without setting the secure flag to true This allows to transfer cookies over HTTP in unencrypted form between different origins, that can violate their confidentiality.

Broken Access Control vulnerabilities take the first place in the “OWASP Top 10 2021” web-application vulnerabilities ranking.

References

  1. Work with SameSite cookies in ASP.NET
  2. OWASP SameSite
  3. The ultimate guide to secure cookies with web.config in .NET
  4. Securing Session INI Settings - php.net
  5. OWASP Top 10 2013-A5-Security Misconfiguration
  6. Origin Cookies: Session Integrity for Web Applications (pdf)
  7. CWE-1275
  8. CWE-352
  9. CWE-614
  10. CWE-311
  11. CWE CATEGORY: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
MEDIUM

DerScanner Severity Score

Do you want to fix Config files : Cookie: SameSite None - Cross-Origin Requests allowed not over SSL in your application?

See also

Config files

Config files : Text4Shell Vulnerability

Config files

Config files : Incorrect directory deletion

Config files

Config files : Code injection