ZAP – Cookie with Invalid SameSite Attribute

Details
Alert ID	10054-3
Alert Type	Passive
Status	release
Risk	Low
CWE	1275
WASC	13
Technologies Targeted	All
Tags	CWE-1275 OWASP_2017_A05 OWASP_2021_A01 POLICY_DEV_STD POLICY_PENTEST POLICY_QA_STD SYSTEMIC WSTG-V42-SESS-02
More Info	Scan Rule Help

Summary

A cookie has been set with an invalid SameSite attribute value, which means that the cookie can be sent as a result of a ‘cross-site’ request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

Solution

Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.

Other Info

References

https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site

Code

org/zaproxy/zap/extension/pscanrules/CookieSameSiteScanRule.java