As many as 97% of websites are still susceptible to cross-site request forgery (CSRF) attacks, despite widespread adoption of the SameSite cookie attribute, according to research by payloads.online.
SameSite prevents cookies being sent in requests from outside the same site, which should mean that a user’s session cookie is not included in a CSRF attack request made by a malicious third party, rendering the attack useless.
However, the researchers found that many sites do not fully implement the attribute, leaving users vulnerable.
In addition, over 50% of APIs studied did not implement anti-CSRF tokens, allowing the researchers to simulate CSRF attacks through payloads.online’s search engine for CSRF vulnerabilities.
Recommendations include ensuring strict sameSite cookie configurations and using antiforgery tokens in AJAX forms and APIs, as well as setting appropriate CORS rules to manage which sites can access content.