Details
Alert ID 10054-1
Alert Type Passive
Status release
Risk Low
CWE 1275
WASC 13
Technologies Targeted All
Tags CWE-1275
OWASP_2017_A05
OWASP_2021_A01
WSTG-V42-SESS-02
More Info Scan Rule Help

Summary

A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a ‘cross-site’ request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

Solution

Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.

Other Info

References

Code

org/zaproxy/zap/extension/pscanrules/CookieSameSiteScanRule.java