Can someone explain to me what `sameSite=’lax’` means?

I need someone to explain to me what lax means, I don’t understand, break it down for me.

From MDN:

Values

The SameSite attribute accepts three values:

Lax
Cookies are allowed to be sent with top-level navigations and will be sent along with GET request initiated by third party website. This is the default value in modern browsers.

Strict
Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.

None
Cookies will be sent in all contexts, i.e sending cross-origin is allowed.

None used to be the default value, but recent browser versions made Lax the default value to have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.

None requires the Secure attribute in latest browser versions. See below for more information.

Go to Source
Author: Joseph K.

Cookie is not being set after CRLF Injection in one domain but set in another domain. How can i bypass/set it?

Ok i am facing a very weird behaviour that sets and doesnt set cookie both. So, first i have found CRLF injection in 2 domains, redacted.de and redacted_another.com. When i go to redacted_another.com vulnerable url, the cookie gets set into firefox-esr. This works in browser. There first vulnerable domain i encountered had this url:

https://www.redacted_another.com/lp/%0ASet-Cookie:%20dipesh=yadav

I can view cookies using developers tool. This is default behaviour as i think. The next domain i encountered had this vulnerable urls but it didnt work in browser 🙁 :

http://www.redacted.de/forum/%0aSet-Cookie:%20dipesh=yadav
http://www.redacted.de/sso/registration/account/%3f%0d%0aSet-Cookie:%20dipesh=yadav

But when i visit this any urls from redacted.de it doest work in browser. Also, both redacted_another.com and redacted.de sets cookie in curl response. This is what it looks like for both redacted but the first one works in browser and second doesnt in browser.
Working Curl request:

root@kali-linux:~/redacted/# http https://www.redacted.com/lp/%0ASet-Cookie:%20dipesh=yadav

HTTP/2 301 
date: Thu, 13 Aug 2020 15:02:53 GMT
content-type: text/html
content-length: 185
location: https://www.redacted.com/lp/redirects/?olp=/lp/
set-cookie: dipesh=yadav
expires: Thu, 20 Aug 2020 15:02:53 GMT
cache-control: max-age=604800

HTTP/2 200 
date: Thu, 13 Aug 2020 15:02:53 GMT
content-type: text/html
content-length: 1452
vary: Accept-Encoding
last-modified: Tue, 04 Feb 2020 15:54:26 GMT
etag: "redacted"
expires: Thu, 20 Aug 2020 15:02:53 GMT
cache-control: max-age=604800
access-control-allow-origin: *
accept-ranges: bytes

NOT WORKING REQUEST:

root@kali-linux:~/redacted# http http://www.redacted.de/sso/registration/account/%0aSet-Cookie:%20bugbounty=bugbountyplz

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Thu, 13 Aug 2020 15:05:04 GMT
Content-Type: text/html
Content-Length: 162
Location: https://www.redacted.de/sso/registration/account/
Set-Cookie: bugbounty=bugbountyplz
Last-Modified: Thu, 13 Aug 2020 15:05:04 GMT
Cache-Control: private
Age: 0
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Connection: keep-alive

HTTP/2 200 
server: nginx
date: Thu, 13 Aug 2020 15:05:05 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
access-control-allow-credentials: true
access-control-allow-origin: https://www.redacted.de
last-modified: Thu, 13 Aug 2020 15:05:05 GMT
cache-control: no-cache, private
age: 0
strict-transport-security: max-age=15768000
x-frame-options: DENY
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
accept-ranges: bytes

Can anyone help me with this? Whats the problem that doesnt letme set cookie in redacted.de but i can set cookie in redacted_another.com.

Go to Source
Author: Dipesh Sunrait

cookie is reset after redirect from other domain

I have a website implemented with Codeigniter 3.
I store cookie with TTL 1 year, which I use in some queries.
Normally, everything works as expected.
However, I have virtual POS integration on my website which does redirection to bank website, and back from there.
Upon redirection back from bank website I try to get value of the cookie I set, but cookie does not exist on redirection back from bank. And the weirdest thing is it does not happen on all devices. It started recently, 2 weeks approximately. This behavior does not occur on my device and another device, but it does occur in other devices both mobile and desktop. One of these devices, where problem exist, uses exactly the same Chrome version as in my PC (where I don’t face this problem).

I know that browsers changing policies regarding cookies but I am not sure if my problem related to it because as I said, I have this problem on some devices only.

I don’t know how to fix this problem.

Thanks is advance…

Go to Source
Author: Nuryagdy Mustapayev

Is it necessary to encrypt a JSON Web Token more than what is built-in?

As a developer I do have some understanding of OWASP, I am also a member of OWASP community, official due paying one. Anyway, what I may not understand is information security in that I am not a security engineer and so I pose the following question:

Is it necessary to encrypt and encode a JSON Web Token?

In my experience, no secure or confidential information should be in a JSON Web Token anyway, outside of the id and email of the user. I can imagine a customer such as a bank freaking out about that, but what can someone do with an email? The password is salted and hashed and also at least in the NodeJS world that is my wheelhouse, JSON Web Token is tamper resistant.

I can verify that a token was valid by using the signing signature and if it fails due to tampering then the services will no longer trust it, that simple no? Why would it be necessary to encrypt it, Encode it And whatever else an overzealous engineer can think of? What problem is it solving or what use case is it handling that is not already built-in? Is it because in other programming languages there are no libraries built-in that can run a jwt.verify() on the JWT?

Could the case described in this post be what the institution is trying to solve?

JWT(Json Web Token) Tampering

Go to Source
Author: Daniel

Cookie not persisting on iOS devices after app has shut down

I’m having an issue with persisting cookies in iOS on React Native/Expo using Axios.

I have a Nest.js server that is using passport to authenticate users and when a user logs in a cookie is placed on the device for all subsequent requests. I’m handling this behavior with the header credentials: 'include' on each request. This is all working fine and well on Android and even on iOS until the user closes the app and reopens it (on iOS) and the cookie sent to the server is null. At first I thought this an issue with React Native so I decided to handle the cookie myself;

Axios interceptor which retrieves and stores the cookie in local storage:

axios.interceptors.response.use(async response => {
        const cookie: Array<string> = response.headers['set-cookie'];
        if (cookie) {
            const cookieHeader: Array<string> = setCookie.splitCookiesString(cookie);
            const cookies: setCookie.Cookie[] = setCookie.parse(cookieHeader);
            await Cache.saveCookie(cookies);
        }
        return response;
    }, async (error: AxiosError) => {
        // error handle
    });

I’m using set-cookie-parser package recommended here. My Cache module just saves the value to the devices storage using AsyncStorage.

Then my request interceptor which adds the cookie to each request (if set):

axios.interceptors.request.use(async config => {
        const cookies: setCookie.Cookie[] = await Cache.getCookie();
        if (cookies) {
            const cookie: string = cookies.map(d => `${d.name}=${d.value}`).join(';');
            return  {
                ...config,
                Cookie: cookie,
            };
        }

        return config;
    });

So my solution above works on Android and on iOS until the app is closed and reopened (on iOS, just like before).

Debugging on my server I can see the cookie in every request from the client but once the app is closed and reopened the cookie value in the request is null, but I have confirmed the cookie is retrieved and set in the interceptor above with no issue. So it’s almost like something else is tampering with my Http Request after my interceptor has added the cookie to the request.

As I’ve said before this only ever happens after the app has been closed and reopened. Happy to give more context about either the application code or the server code.

Thanks in advance.

Go to Source
Author: Harry Bendix-Lewis

What a malicious website can do in the worst scenario on a upgraded system [closed]

I use last Debian stable (buster as June 2020).

  • system upgraded everyday (and browser addons updated automatically)
  • Firefox 68.9.0esr (64 bits) (the one from apt package system)
  • decent hardware (less than 5 years old)
  • Debian security upgrade enabled

I’m aware of security concerns, I…

  • verify (before clicking a HTTP link) if the link looks like example.org, but are in fact example.org.random.tracker.io by example (I take care about phising and tracking)
  • take care of untrusted X509 certificates for https websites
  • avoid using non trusted Firefox addons
  • never open suspicious files in web or mails
  • don’t use weak passwords (and I don’t use the same on 2 websites)
  • never run Firefox as root (who do this ?)
  • use httpsEverywhere, uBlock-Origin, Ghostery, Decentraleyes Firefox addons

So my question:

  • what is the risk of opening a malicious website (if not in google safe browsing DB) ? What it can do, the worst way, apart phishing website ? (I guess crypto-mining at least, exploit of Firefox vulnerability…)

Go to Source
Author: Gilles Quenot

Is there some method to track what changes to files a website does?

So I was trying to find out how this site pentest-tools tracks me without normal MAC address or even IP address. This website basically gives us 2 “free scans” allowing us to scan any 2 sites and find some of the basic vulnerabilities present in websites.

So there are plenty of websites out there (actually, only 2) that provide this free “scans” for basic vulnerabilities. So as a challenge, I wanted to find out whether I could fool the website into allowing me more than 2 scans by changing my identity thus having the server think of me as a new user.

So, I tried all the basic methods of hiding my identity (BTW I am not a hacker or anywhere near) which included MAC and IP spoofing and cookies clearing. But they didn’t work. So, I had a few questions:-

  1. Is there any way to track what file changes the site performs to identify me so that I can find those cookies responsible for storing the number of scans I have used and delete them?

  2. Also, would there be any program that immediately removes whatever files generated by the website (tracker by the above method) and placed on the computer files be deleted automatically? something which even prevents supercookies?

TIA

Regards,
Neel Gupta

Go to Source
Author: neel g