Burp Suite User Forum

Login to post

Query Regarding Cross-site request forgery

Srini | Last updated: Sep 01, 2020 07:16AM UTC

Issue : In Our application we are using cookie lastAccesTimeForCurrentSession to validate the session. Previously we were not using the SameSite attribute in Cookie, Now we started using SameSite with Strict mode. Browser we used for Burp Scanner is Google Chrome 85.0.x, For which Default SameSite setting is LAX, which as per documentation won't allow Post request to Send Cookies from Third-party sites However Burp Scanner able to send the our Site cookies, which result in reporting Cross-site request forgery in the report. We would like to understand How burp scanner able to send those Cookies Post Request, Is Cross-site request forgery still exist in our site ? Or Can we assume that test as false indication ? Attached Burp scanner Report, Google chrome snapshots for the reference.

Uthman, PortSwigger Agent | Last updated: Sep 01, 2020 09:58AM UTC

Hi Srini, I have replied to your colleague via email regarding this query.

You need to Log in to post a reply. Or register here, for free.