Same-site cookies as correct answer in Exercise 3 Question 1?

0 votes
My Question is about Exercise 3 Question 1 (Called 1a) Countermeasures):

According to the solution provided, "Using Same-site cookies" Would be a countermeasure for clickjacking.

Maybe I'm missing something here, but to my understanding, Same-site cookies might prevent an attacker from stealing cookies, but it should not prevent clickjacking.

Example:

An attacker wants to make the user of good.com delete their account on this site.

The attacker can use clickjacking using invisible iframes (if no other prevention mechanism is used) to make the user click on a "Delete account" button. (Once again assuming there is no prevention mechanism for 1-click deletes :) )

Since the user is currently logged in (cookie is set) and the route for deleting their account might be along the lines of http://good.com/account-delete (clearly same site to http://good.com/some-other-route) the cookie should be sent while requesting the account-deletion route.

Hence, the user was made to do something they did not intend => Clickjacking

Please correct me if I overlooked something, but given the example above Same-site cookies alone would not prevent Clickjacking.
in ex03 by
edit history

1 Answer

0 votes
Best answer

Hi,

SameSite cookies do not prevent the attacker from stealing cookies.
They define for which requests the cookies will be sent (e.g., when the browser requests an image on the website).
HttpOnly cookies prevent the attacker from stealing the cookies using Javascript.
However, stealing the cookies is not the attackers goal for CSRF and Clickjacking.
The attackers only abuse the fact that the victims are logged in (and have their cookies set).

Your workflow for Clickjacking is correct.
However, please take a look at the following resource: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value

As soon as you start using SameSite cookies (=> >lax), the cookies are only sent for top-level nagivations (and safe methods, but this is irrelevant in this example).
This explicitly excludes navigations caused by iframes (and img, ...).

I hope that clears it up.
Feel free to ask more questions.

Cheers
Sebastian

by (1.2k points)
edit history
0
Thank you!
It seems like I've missed the part about top level navigations when looking at the provided resource.
by
0
No problem :)
by (1.2k points)