**MUNICH, February 15, 2023 –** IGEL, provider of the managed endpoint operating system for secure access to any digital workspace, today announced IGEL COSMOS. Unveiled at DISRUPT23 – The Ultimate Global EUC event in Munich, COSMOS is a unified, agile platform to securely manage and automate the delivery of digital workspaces, from any cloud. Offering a modular architecture, granular endpoint control and end-user freedom, COSMOS is designed to enable organizations to garner the full power of current-day and future clouds with extensive control, while powering great user experiences for today’s hybrid work.

The most significant new advancement with IGEL COSMOS is that, for the first time, IGEL is completely separating the base IGEL OS from its validated and integrated applications and interfaces, while adding an additional separate component in the form of value-added cloud services. Together, these three vital components comprise IGEL COSMOS. This modular architecture of “separate but equal” elements of endpoint operating system, management and control, and cloud services enables maximum IT flexibility in introducing or enhancing apps, desktops, services, and any other form of cloud-delivered digital workspaces as the cloud continues to evolve.

Featuring extensive management and control powered by the new IGEL UMS 12, the next generation of the IGEL Universal Management Suite (UMS), COSMOS enables the parallel use, management and control of endpoints running both IGEL OS 11 and the new IGEL OS 12 operating system. New cloud services, which are de-coupled from the OS, include the IGEL App Portal for use-case specific software applications offered from IGEL software partners and available for seamless download and implementation. Additional cloud services include the IGEL Onboarding Service, IGEL Insight Service, and other services and portals all designed to enhance effectiveness and user experiences for both IT professionals and end users. 

“Today’s workspaces are hybrid. Hybrid work, hybrid clouds and hybrid applications. While VDI and DaaS continue to provide organizations the safest way to deliver secure access to windows client server applications, a transition to SaaS and web-based applications has already started.  IT organizations need to make sure they can evolve at their optimal pace and at the same time, enable employees seamless, yet secure access to their cloud workspaces,” said Matthias Haas, Chief Technology Officer, IGEL. “The COSMOS platform has been designed for this new era of hybrid work. With a new modularized version of IGEL OS, a new version of our UMS management platform coupled with new cloud services that extend capabilities and enhance user experiences, COSMOS enables unmatched speed and flexibility to our customers across traditional and modern application delivery models, while still retaining security, management, and control across the entire endpoint estate.” 

“Having deployed IGEL OS to our remote workforce, we have been excited to pilot the latest innovation from IGEL including UMS 12 and IGEL OS 12,” said Simon Barlow, Group Chief Technology Officer, Operations, AXA UK & Ireland. “Our remote workforce, the agile application landscape and more frequent update cycles of unified comms require us to onboard, manage and update our endpoints faster and more efficiently than ever before. Based on our initial testing of OS 12, we are already confident that we can remotely configure, update, and patch our remote machines faster and more efficiently. With small updates and the ability to only update the Azure Virtual Desktop client, IGEL COSMOS allows us to be more agile without compromising security or change control. We are excited about the new cloud services which complement IGEL OS and UMS 12 and are proud to be included in the COSMOS platform launch.”

“Having utilized the secure IGEL OS for our VMware VDI environment, we were excited to work with IGEL on the IGEL OS 12 pilot,” said Billy Cruz, Technology Services Manager, Desktop Engineering, COCC. “The ability to update the VMware Horizon client independently from IGEL OS in the new offering allows us to deploy the latest innovation from VMware faster and more efficiently than before. The additional ability to now also update the Zoom and Webex offloading clients, independently from the VMware Horizon app, also provides additional flexibility and reduces the amount of time needed to perform management updates to increase employee experience. With a smaller attack surface and faster updates, we are excited about rolling out IGEL OS 12 in the future.”

**The Powerful, Unified Components of COSMOS**

At the core of the IGEL COSMOS platform is the new IGEL UMS 12, which offers a unified view across a heterogeneous mix of endpoints running either IGEL OS 11 or the new IGEL OS 12. This powerful, yet simple to use, management and control console enables environments already benefitting from IGEL OS to easily migrate and leverage immediate value of COSMOS without requiring an OS upgrade on all their existing devices. 

Released with COSMOS is the new IGEL OS 12 which is more lightweight and adaptable than ever. Offering increased flexibility, speed, and agile integrations, IGEL OS 12 has been architected to support any form of cloud-delivered digital experiences. It also supports a faster, more efficient delivery of features and applications tuned to specific use cases via the IGEL App Portal.  Other key services tuned to IGEL OS 12 include fast user onboarding and deep insights into endpoint usage, security, status, and compliance of IGEL UMS-managed endpoints. 

One of the most significant new cloud services adding additional value to COSMOS is the IGEL App Portal. The App Portal delivers a full range of validated applications from IGEL’s vast IGEL Ready technology partner community designed for use on IGEL OS-powered devices. Since the App Portal operates separately and independently from the IGEL OS endpoint operating system, it sharply streamlines the process of application integration, introduction, and qualification for IT teams since there is no longer any dependence on the classic, highly integrated software release process. Available for download at no extra cost, these apps can be rapidly qualified and delivered as a feature-rich experience for users, while reducing the app qualification, implementation and update processes for IT. Applications include the Microsoft Azure Virtual Desktop client, VMware Horizon client, Citrix Workspace app, Chromium Browser, Zoom Media Plugins for VDI and many more. IGEL also offers an IGEL OS API (application programming interface) for software providers that want to validate their solution for availability using COSMOS and the IGEL App Portal. 

**Availability**

COSMOS, IGEL UMS 12, and IGEL OS 12 will be available April 1. Existing users of IGEL OS 11 will be able to engage IGEL UMS 12 via an easy migration to access COSMOS advancements for existing and new devices running IGEL OS 12 in the future. For more information visit igel.com/cosmos. To schedule a discovery meeting and get early access to GA code, visit igel.com/yes.

**DISRUPT23**

COSMOS was announcement from DISRUPT23 – The Ultimate Global EUC in Munich, held February 15 and 16 at the INFINITY Hotel & Conference Resort. DISRUPT23 will hold its North American installment at the Gaylord Opryland Resort & Convention Center in Nashville, Tennessee, on April 3-5. Registration is $399 per person. To register, visit: www.disruptEUC.com.

**About IGEL**

Today, the world of work is hybrid. Multiple clouds can deliver applications sourced from anywhere to a widely distributed workforce using all types of devices. Right at the moment when the world of work needs it most, IGEL has the solution for fully managed, secure endpoint access to any digital workspace that gives IT teams strong control and end-users the freedom to work as they wish in a hybrid world. Enabling choice of any cloud, from any device, anywhere, IGEL unlocks a collaborative and productive end user computing experience while solving the common security and management challenges required to compete and win in today’s world of hybrid work.  With a growing ecosystem of more than 100 IGEL Ready technology partners, IGEL has offices in Europe and the United States and is represented by partners in over 50 countries. For more information on IGEL, visit www.igel.com.

IGEL Unveils COSMOS, the Unified End User Computing Platform for Secure, Managed Access to Any Cloud Workspace

Google announced on Tuesday that it's officially rolling out Privacy Sandbox on Android in beta to eligible mobile devices running Android 13.
"The Privacy Sandbox Beta provides new APIs that are designed with privacy at the core, and don't use identifiers that can track your activity across apps and websites," the search and advertising giant said. "Apps that choose to participate in the Beta

Google announced on Tuesday that it's officially rolling out Privacy Sandbox on Android in beta to eligible mobile devices running Android 13.

"The Privacy Sandbox Beta provides new APIs that are designed with privacy at the core, and don't use identifiers that can track your activity across apps and websites," the search and advertising giant said. "Apps that choose to participate in the Beta can use these APIs to show you relevant ads and measure their effectiveness."

Devices that have been selected for the Beta test will have a Privacy Sandbox section within Settings so as to allow users to control their participation as well as view and manage their top interests as determined by the Topics API to serve relevant ads.

The initial Topics taxonomy is set to include somewhere between a few hundred and a few thousand topics, according to Google, and will be human-curated to exclude sensitive topics.

The Beta test is expected to start off with a "small percentage" of Android 13 devices and will gradually expand over time.

The Privacy Sandbox on Android is Google's answer to Apple's App Tracking Transparency (ATT), which requires app developers to seek users' explicit consent before tracking their online behavior across apps and websites through unique identifiers. It was introduced by Apple in iOS 14.5.

The experiment is part of a broader initiative for the web that also aims to begin phasing out third-party cookies in the Chrome web browser by 2024.

The technology that underpins its ability to glean users' evolving interests is a machine learning technique called federated learning that decouples the "ability to do machine learning from the need to store the data in the cloud."

This effectively allows decentralized edge devices such as smartphones to learn a shared prediction model while keeping all the training data on device, thereby making it possible for websites to access information about consumers without compromising user privacy.

Currently, Android devices are assigned a unique user-resettable identifier that can be used by app developers for tracking online behavior. Privacy Sandbox replaces the identifier with a set of privacy-preserving tools that are engineered to limit information sharing and at the same time support personalized ads.

While Google's proposals hope to strike a balance between interest-based advertising and privacy, the company also criticized that "blunt approaches" such as those from Apple don't provide viable alternatives.

That having said, Apple's ATT has faced criticism of its own. In September 2021, Lockdown Privacy called Apple's policy "functionally useless in stopping third-party tracking" and that it "made no difference in the total number of active third-party trackers."

What's more, a report from the Financial Times in December 2021 found that apps are continuing to track users on iOS, albeit in an anonymized and aggregated fashion similar to Google's Privacy Sandbox.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Rolling Out Privacy Sandbox Beta on Android 13 Devices

Microsoft on Tuesday released security updates to address 75 flaws spanning its product portfolio, three of which have come under active exploitation in the wild.
The updates are in addition to 22 flaws the Windows maker patched in its Chromium-based Edge browser over the past month.
Of the 75 vulnerabilities, nine are rated Critical and 66 are rated Important in severity. 37 out of 75 bugs are

Patch Tuesday / Software Updates

Microsoft on Tuesday released security updates to address 75 flaws spanning its product portfolio, three of which have come under active exploitation in the wild.

The updates are in addition to 22 flaws the Windows maker patched in its Chromium-based Edge browser over the past month.

Of the 75 vulnerabilities, nine are rated Critical and 66 are rated Important in severity. 37 out of 75 bugs are classified as remote code execution (RCE) flaws. The three zero-days of note that have been exploited are as follows -

*   **CVE-2023-21715** (CVSS score: 7.3) - Microsoft Office Security Feature Bypass Vulnerability
*   **CVE-2023-21823** (CVSS score: 7.8) - Windows Graphics Component Elevation of Privilege Vulnerability
*   **CVE-2023-23376** (CVSS score: 7.8) - Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability

"The attack itself is carried out locally by a user with authentication to the targeted system," Microsoft said in advisory for CVE-2023-21715.

"An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer."

Successful exploitation of the above flaws could enable an adversary to bypass Office macro policies used to block untrusted or malicious files or gain SYSTEM privileges.

CVE-2023-23376 is also the third actively exploited zero-day flaw in the CLFS component after CVE-2022-24521 and CVE-2022-37969 (CVSS scores: 7.8), which were addressed by Microsoft in April and September 2022.

"The Windows Common Log File System Driver is a component of the Windows operating system that manages and maintains a high-performance, transaction-based log file system," Immersive Labs' Nikolas Cemerikic said.

"It is an essential component of the Windows operating system, and any vulnerabilities in this driver could have significant implications for the security and reliability of the system."

It's worth noting that Microsoft OneNote for Android is vulnerable to CVE-2023-21823, and with the note-taking service increasingly emerging as a conduit for delivering malware, it's crucial that users apply the fixes.

Also addressed by Microsoft are multiple RCE defects in Exchange Server, ODBC Driver, PostScript Printer Driver, and SQL Server as well as denial-of-service (DoS) issues impacting Windows iSCSI Service and Windows Secure Channel.

Three of the Exchange Server flaws are classified by the company as "Exploitation More Likely," although successful exploitation requires the attacker to be already authenticated.

Exchange servers have proven to be high-value targets in recent years as they can enable unauthorized access to sensitive information, or facilitate Business Email Compromise (BEC) attacks.

**Software Patches from Other Vendors**

Besides Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Apple
*   Atlassian
*   Cisco
*   Citrix
*   CODESYS
*   Dell
*   Drupal
*   F5
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Intel
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NETGEAR
*   NVIDIA
*   Palo Alto Networks
*   Qualcomm
*   Samba
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   Sophos
*   Synology
*   Trend Micro
*   VMware
*   Zoho, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Update Now: Microsoft Releases Patches for 3 Actively Exploited Windows Vulnerabilities

Microsoft Edge (Chromium-based) Spoofing Vulnerability

CVE-2023-21794

Microsoft Edge (Chromium-based) Tampering Vulnerability

CVE-2023-21720

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

CVE-2023-23374

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.

CVE-2023-25725: The Reliable, High Performance TCP/HTTP Load Balancer

The first guide of our two-part series helps consumers choose the best way to manage their login credentials

The first guide of our two-part series helps consumers choose the best way to manage their login credentials

While we continue to wait for the long-awaited password-less future to arrive, individuals and enterprises are still stuck with the problem of how to manage their countless, proliferating login credentials.

Whether they allow browsers to save passwords, rely on Apple’s Keychain or another operating system utility, or trust a dedicated app, most people and organizations now use some form of password management utility.

A password manager creates an encrypted vault that securely stores credentials. These are protected by a master password.

Read more of the latest security news about passwords

Most consumer-focused apps can also create unique, random passwords and support safe credential sharing between friends and family members.

Some also contain extra perks such as detecting reused passwords and monitoring your accounts for possible data breaches.

Given the differences in functionality and pricing tiers, The Daily Swig is offering a comparative, two-part guide to some of the most popular password management utilities available for consumers and businesses.

This article, part one of our series, looks at consumer password manager options, while part two will showcase some of the best choices for enterprises. Stay tuned for the forthcoming second guide.

**1Password**

1Password offers an easy sign-up process and printable digital key for recovering your account in case you forget your master password.

The application has apps for macOS, Windows, Linux, Android, and iOS as well as a Chrome extension that enables a user to auto-fill login information on websites and store new credentials in their vault.

The tool allows you to create multiple vaults to organize your data for various purposes (personal, work, etc). In addition to login information, you can use 1Password to store credit card information, API tokens, crypto wallet recovery seeds, and other sensitive documents or data.

The password manager also allows you share to passwords with other users. You can tweak the sharing feature by setting expiry dates, maximum number of views, and specific email addresses that can access a password.

1Password’s Watchtower feature monitors your account for reused passwords, vulnerable passwords, and potentially compromised accounts.

The application also has a Travel Mode for special circumstances where your devices might fall into unwanted hands. Vaults that you mark as safe for travel will disappear from your devices when you turn on Travel Mode and reappear when you turn it off.

The password manager offers no free-of-charge plan and instead offers personal ($2.99 per month) and family ($4.99 per month) subscriptions. With the family subscription, you get five premium accounts and the ability to create shared vaults that you can use together.

*   Pros: Flexible password sharing, Watchtower feature for monitoring password reuse and website breaches, strong MFA (multi-factor authentication) support
*   Cons: No free plan, limited import options

1password offers a password vault that offers a more convenient way to manage login credentials

**Bitwarden**

Bitwarden offers a full range of standard features including the ability to import data from other password managers, creating multiple vaults, sharing passwords with other users, and syncing vaults across multiple devices. It has apps for all major operating systems, extensions for nine different browsers, and a command-line interface for writing scripts.

One feature that sets Bitwarden apart is its strong free-tier option, which provides features that most users typically need. The premium subscription ($10 per year) also adds security reports, stronger 2FA (two-factor authentication) options, 1GB of encrypted storage, a OTP (one-time password) generator, and emergency access to your vault by other (nominated) Bitwarden users.

Bitwarden also has a family plan ($40 per year) with six accounts, shared password collections, and shared encrypted storage.

Bitwarden is an open source program, which means you can host it on your own servers if company or industry regulations prevent you from storing your credentials in the public cloud. However, to get the full range of features, you’ll need to purchase a premium license.

*   Pros: Strong free plan, competitive price for premium and family plans, open source, self-hosting support, strong MFA support, command line interface
*   Cons: Limited storage, limited MFA on free plan

**Dashlane**

Dashlane is another online password manager that provides basic features to store and secure your passwords, including creating vaults, generating passwords, filling online forms, and importing data from other managers.

The tool provides a very limited free plan that only works on one device. The advanced tier ($2.75 per month) removes the device limit and adds a service that monitors the dark web for breached passwords and compromised accounts.

The premium plan ($4.99 per month) adds VPN support, and the family plan ($7.49 per month) provides 10 premium accounts plus a dashboard to manage accounts and shared resources.

Unlike other password managers, Dashlane doesn’t have a desktop application – PC users must do everything through the web portal and browser extensions. But it does have mobile apps for Android and iOS.

Dashlane allows you to share passwords with other Dashlane users and set limits to what kind of access they will have to your credentials.

Dashlane’s emergency access feature also allows you to specify a contact who can assume ownership of your account in case you lose access, and you can specify a waiting period to accept or reject the user’s request to access your vault.

*   Pros: Password history, VPN support, dark web monitoring, no desktop application, strong emergency access options

*   Cons: Free plan limited to one device, expensive premium plan

**LastPass**

LastPass offers a variety of 2FA options

LastPass had by far the biggest market share as of 2022, but a recent breach that exposed users’ encrypted data has degraded confidence in its password manager service.

It is nonetheless worth knowing what the company has to offer, considering that it could apply the lessons from its security incident to harden its product.

Like Bitwarden, LastPass offers a very limited free plan that is restricted to one device. It includes standard features such as password strength evaluation, auto-filling and password generation, basic MFA, and one-on-one password sharing.

The premium plan ($36 per year) adds advanced MFA, emergency access, and more granular password sharing, 1GB of encrypted storage, and dark web monitoring for account and password breaches.

The family plan ($48 per year) bundles six premium accounts and a dashboard to manage accounts and shared resources.

Aside from its web portal, LastPass has apps for Mac, Windows, Linux, Android, and iOS alongside extensions for all major browsers. Password-less authentication through a separate LastPass Authenticator app is another notable feature.

*   Pros: Passwordless login support, dark web monitoring, password strength report
*   Cons: History of poor security practices, limited free plan

READ Bitwarden responds to encryption design flaw criticism

**KeePass**

For users who don’t trust online services with their passwords – a legitimate concern after the LastPass debacle – KeePass is a convenient alternative.

KeePass is a standalone application that provides many of the functions you would expect from a professional password manager, but with some notable exceptions. Absent features include the ability to auto-capture new passwords, syncing across multiple devices, password sharing, and scanning the web for breached accounts.

KeePass also fails to offer a web interface, browser extensions, or support for multiple platforms. The package comes as a Windows application, although being an open-source project means developers have ported it to other platforms. You’ll find links to these software packages on the KeePass website.

In KeePass, you can create password databases to store passwords, notes, and documents. These password databases can be copied to other devices, but you’ll have to sync them manually.

KeePass lacks support for many types of data, such as credit card info and API tokens, by default, but you can customize the utility to support different data types. Instead of autofill, KeePass has an auto-type feature that emulates typing your credentials on the keyboard, a feature than can require a bit of getting used to.

While this is not the most convenient password manager, it is a decent option for advanced users who want full control of their data and the ability to tinker with the software.

*   Pros: Free, open source, full control of your data, highly customizable
*   Cons: No automatic password capture, inconvenient auto-fill feature, clunky multi-platform support

**Operating system password managers**

Alternatively, you can use a tool that comes bundled with your operating system. Most popular among them is Apple’s Keychain, which encrypts and stores your passwords in a secure vault on your device.

The main advantage of Keychain is its deep integration with the Apple ecosystem. It automatically detects and fills passwords for websites, applications, WiFi networks, and more. It can also be synced to your iCloud account and made available across all your Apple devices, including Mac, iPhone, iPad, and Apple Watch.

So Keychain is convenient if you only use Apple devices. But if you have other operating systems in the mix (Android, Windows, Linux), then you’ll need a separate password manager. You also won’t be able to use it if you want to log into one of your accounts from a friend’s device or a public computer.

*   Pros: Free, easy to use, deep integration with operating system
*   Cons: No cross-platform support

Stay tuned for part two of this series showcasing the features of enterprise-focused password manager utilities.

YOU MAY ALSO LIKE Popular password managers auto-filled credentials on untrusted websites

Password manager security: Which is the right option for me?

Malicious actors have published more than 451 unique Python packages on the official Python Package Index (PyPI) repository in an attempt to infect developer systems with clipper malware.
Software supply chain security company Phylum, which spotted the libraries, said the ongoing activity is a follow-up to a campaign that was initially disclosed in November 2022.
The initial vector entails using

Cryptocurrency / Software Security

Malicious actors have published more than 451 unique Python packages on the official Python Package Index (PyPI) repository in an attempt to infect developer systems with clipper malware.

Software supply chain security company Phylum, which spotted the libraries, said the ongoing activity is a follow-up to a campaign that was initially disclosed in November 2022.

The initial vector entails using typosquatting to mimic popular packages such as beautifulsoup, bitcoinlib, cryptofeed, matplotlib, pandas, pytorch, scikit-learn, scrapy, selenium, solana, and tensorflow, among others.

"After installation, a malicious JavaScript file is dropped to the system and executed in the background of any web browsing session," Phylum said in a report published last year. "When a developer copies a cryptocurrency address, the address is replaced in the clipboard with the attacker's address."

This is achieved by creating a Chromium web browser extension in the Windows AppData folder and writing to it the rogue Javascript and a manifest.json file that requests users' permissions to access and modify the clipboard.

Targeted web browsers include Google Chrome, Microsoft Edge, Brave, and Opera, with the malware modifying browser shortcuts to load the add-on automatically upon launch using the "--load-extension" command line switch.

The latest set of Python packages exhibits a similar, if not the same, modus operandi, and is designed to function as a clipboard-based crypto wallet replacing malware. What's changed is the obfuscation technique used to conceal the JavaScript code.

The ultimate goal of the attacks is to hijack cryptocurrency transactions initiated by the compromised developer and reroute them to attacker-controlled wallets instead of the intended recipient.

"This attacker significantly increased their footprint in pypi through automation," Phylum noted. "Flooding the ecosystem with packages like this will continue."

The findings coincide with a report from Sonatype, which found 691 malicious packages in the npm registry and 49 malicious packages in PyPI during the month of January 2023 alone.

The development once again illustrates the growing threat developers face from supply chain attacks, with adversaries relying on methods like typosquatting to trick users into downloading fraudulent packages.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Python Developers Beware: Clipper Malware Found in 450+ PyPI Packages!

An improper SameSite Attribute vulnerability in pimCore v10.5.15 allows attackers to execute arbitrary code.

SameSite is a browser security mechanism that determines when a website's cookies are included in requests originating from other websites. SameSite cookie restrictions provide partial protection against a variety of cross-site attacks, including CSRF, cross-site leaks, and some CORS exploits.

Since 2021, Chrome applies Lax SameSite restrictions by default if the website that issues the cookie doesn't explicitly set its own restriction level. This is a proposed standard, and we expect other major browsers to adopt this behavior in the future. As a result, it's essential to have solid grasp of how these restrictions work, as well as how they can potentially be bypassed, in order to thoroughly test for cross-site attack vectors.

In this section, we'll first cover how the SameSite mechanism works and clarify some of the related terminology. We'll then look at some of the most common ways you may be able to bypass these restrictions, enabling CSRF and other cross-site attacks on websites that may initially appear secure.

**What is a site in the context of SameSite cookies?**

In the context of SameSite cookie restrictions, a site is defined as the top-level domain (TLD), usually something like .com or .net, plus one additional level of the domain name. This is often referred to as the TLD+1.

When determining whether a request is same-site or not, the URL scheme is also taken into consideration. This means that a link from http://app.example.com to https://app.example.com is treated as cross-site by most browsers.

**Note**

You may come across the term "effective top-level domain" (eTLD). This is just a way of accounting for the reserved multipart suffixes that are treated as top-level domains in practice, such as .co.uk.

**What's the difference between a site and an origin?**

The difference between a site and an origin is their scope; a site encompasses multiple domain names, whereas an origin only includes one. Although they're closely related, it's important not to use the terms interchangeably as conflating the two can have serious security implications.

Two URLs are considered to have the same origin if they share the exact same scheme, domain name, and port. Although note that the port is often inferred from the scheme.

As you can see from this example, the term "site" is much less specific as it only accounts for the scheme and last part of the domain name. Crucially, this means that a cross-origin request can still be same-site, but not the other way around.

**Request from**

**Request to**

**Same-site?**

**Same-origin?**

https://example.com

https://example.com

Yes

Yes

https://app.example.com

https://intranet.example.com

Yes

No: mismatched domain name

https://example.com

https://example.com:8080

Yes

No: mismatched port

https://example.com

https://example.co.uk

No: mismatched eTLD

No: mismatched domain name

https://example.com

http://example.com

No: mismatched scheme

No: mismatched scheme

This is an important distinction as it means that any vulnerability enabling arbitrary JavaScript execution can be abused to bypass site-based defenses on other domains belonging to the same site. We'll see an example of this in one of the labs later.

**How does SameSite work?**

Before the SameSite mechanism was introduced, browsers sent cookies in every request to the domain that issued them, even if the request was triggered by an unrelated third-party website. SameSite works by enabling browsers and website owners to limit which cross-site requests, if any, should include specific cookies. This can help to reduce users' exposure to CSRF attacks, which induce the victim's browser to issue a request that triggers a harmful action on the vulnerable website. As these requests typically require a cookie associated with the victim's authenticated session, the attack will fail if the browser doesn't include this.

All major browsers currently support the following SameSite restriction levels:

*   Strict
*   Lax
*   None

Developers can manually configure a restriction level for each cookie they set, giving them more control over when these cookies are used. To do this, they just have to include the SameSite attribute in the Set-Cookie response header, along with their preferred value:

Set-Cookie: session=0F8tgdOhi9ynR1M9wa3ODa; SameSite=Strict

Although this offers some protection against CSRF attacks, none of these restrictions provide guaranteed immunity, as we'll demonstrate using deliberately vulnerable, interactive labs later in this section.

**Note**

If the website issuing the cookie doesn't explicitly set a SameSite attribute, Chrome automatically applies Lax restrictions by default. This means that the cookie is only sent in cross-site requests that meet specific criteria, even though the developers never configured this behavior. As this is a proposed new standard, we expect other major browsers to adopt this behavior in future.

**Strict**

If a cookie is set with the SameSite=Strict attribute, browsers will not send it in any cross-site requests. In simple terms, this means that if the target site for the request does not match the site currently shown in the browser's address bar, it will not include the cookie.

This is recommended when setting cookies that enable the bearer to modify data or perform other sensitive actions, such as accessing specific pages that are only available to authenticated users.

Although this is the most secure option, it can negatively impact the user experience in cases where cross-site functionality is desirable.

**Labs**

*   LAB Bypassing SameSite Strict restrictions using on-site gadgets
*   LAB Bypassing SameSite Strict restrictions via vulnerable sibling domains

**Lax**

Lax SameSite restrictions mean that browsers will send the cookie in cross-site requests, but only if both of the following conditions are met:

*   The request uses the GET method.
    
*   The request resulted from a top-level navigation by the user, such as clicking on a link.
    

This means that the cookie is not included in cross-site POST requests, for example. As POST requests are generally used to perform actions that modify data or state (at least according to best practice), they are much more likely to be the target of CSRF attacks.

Likewise, the cookie is not included in background requests, such as those initiated by scripts, iframes, or references to images and other resources.

**Labs**

*   LAB Bypassing SameSite Lax restrictions using GET requests
*   LAB Bypassing SameSite Lax restrictions with newly issued cookies

**None**

If a cookie is set with the SameSite=None attribute, this effectively disables SameSite restrictions altogether, regardless of the browser. As a result, browsers will send this cookie in all requests to the site that issued it, even those that were triggered by completely unrelated third-party sites.

With the exception of Chrome, this is the default behavior used by major browsers if no SameSite attribute is provided when setting the cookie.

There are legitimate reasons for disabling SameSite, such as when the cookie is intended to be used from a third-party context and doesn't grant the bearer access to any sensitive data or functionality. Tracking cookies are a typical example.

If you encounter a cookie set with SameSite=None or with no explicit restrictions, it's worth investigating whether it's of any use. When the "Lax-by-default" behavior was first adopted by Chrome, this had the side-effect of breaking a lot of existing web functionality. As a quick workaround, some websites have opted to simply disable SameSite restrictions on all cookies, including potentially sensitive ones.

When setting a cookie with SameSite=None, the website must also include the Secure attribute, which ensures that the cookie is only sent in encrypted messages over HTTPS. Otherwise, browsers will reject the cookie and it won't be set.

Set-Cookie: trackingId=0F8tgdOhi9ynR1M9wa3ODa; SameSite=None; Secure

**Bypassing SameSite Lax restrictions using GET requests**

In practice, servers aren't always fussy about whether they receive a GET or POST request to a given endpoint, even those that are expecting a form submission. If they also use Lax restrictions for their session cookies, either explicitly or due to the browser default, you may still be able to perform a CSRF attack by eliciting a GET request from the victim's browser.

As long as the request involves a top-level navigation, the browser will still include the victim's session cookie. The following is one of the simplest approaches to launching such an attack:

<script>
    document.location = 'https://vulnerable-website.com/account/transfer-payment?recipient=hacker&amount=1000000';
</script>

Even if an ordinary GET request isn't allowed, some frameworks provide ways of overriding the method specified in the request line. For example, Symfony supports the _method parameter in forms, which takes precedence over the normal method for routing purposes:

<form action="https://vulnerable-website.com/account/transfer-payment" method="POST">
    <input type="hidden" name="_method" value="GET">
    <input type="hidden" name="recipient" value="hacker">
    <input type="hidden" name="amount" value="1000000">
</form>

Other frameworks support a variety of similar parameters.

**Bypassing SameSite restrictions using on-site gadgets**

If a cookie is set with the SameSite=Strict attribute, browsers won't include it in any cross-site requests. You may be able to get around this limitation if you can find a gadget that results in a secondary request within the same site.

One possible gadget is a client-side redirect that dynamically constructs the redirection target using attacker-controllable input like URL parameters. For some examples, see our materials on DOM-based open redirection.

As far as browsers are concerned, these client-side redirects aren't really redirects at all; the resulting request is just treated as an ordinary, standalone request. Most importantly, this is a same-site request and, as such, will include all cookies related to the site, regardless of any restrictions that are in place.

If you can manipulate this gadget to elicit a malicious secondary request, this can enable you to bypass any SameSite cookie restrictions completely.

Note that the equivalent attack is not possible with server-side redirects. In this case, browsers recognize that the request to follow the redirect resulted from a cross-site request initially, so they still apply the appropriate cookie restrictions.

**Bypassing SameSite restrictions via vulnerable sibling domains**

Whether you're testing someone else's website or trying to secure your own, it's essential to keep in mind that a request can still be same-site even if it's issued cross-origin.

Make sure you thoroughly audit all of the available attack surface, including any sibling domains. In particular, vulnerabilities that enable you to elicit an arbitrary secondary request, such as XSS, can compromise site-based defenses completely, exposing all of the site's domains to cross-site attacks.

In addition to classic CSRF, don't forget that if the target website supports WebSockets, this functionality might be vulnerable to cross-site WebSocket hijacking (CSWSH), which is essentially just a CSRF attack targeting a WebSocket handshake. For more details, see our topic on WebSocket vulnerabilities.

**Bypassing SameSite Lax restrictions with newly issued cookies**

Cookies with Lax SameSite restrictions aren't normally sent in any cross-site POST requests, but there are some exceptions.

As mentioned earlier, if a website doesn't include a SameSite attribute when setting a cookie, Chrome automatically applies Lax restrictions by default. However, to avoid breaking single sign-on (SSO) mechanisms, it doesn't actually enforce these restrictions for the first 120 seconds on top-level POST requests. As a result, there is a two-minute window in which users may be susceptible to cross-site attacks.

**Note**

This two-minute window does not apply to cookies that were explicitly set with the SameSite=Lax attribute.

It's somewhat impractical to try timing the attack to fall within this short window. On the other hand, if you can find a gadget on the site that enables you to force the victim to be issued a new session cookie, you can preemptively refresh their cookie before following up with the main attack. For example, completing an OAuth-based login flow may result in a new session each time as the OAuth service doesn't necessarily know whether the user is still logged in to the target site.

To trigger the cookie refresh without the victim having to manually log in again, you need to use a top-level navigation, which ensures that the cookies associated with their current OAuth session are included. This poses an additional challenge because you then need to redirect the user back to your site so that you can launch the CSRF attack.

Alternatively, you can trigger the cookie refresh from a new tab so the browser doesn't leave the page before you're able to deliver the final attack. A minor snag with this approach is that browsers block popup tabs unless they're opened via a manual interaction. For example, the following popup will be blocked by the browser by default:

window.open('https://vulnerable-website.com/login/sso');

To get around this, you can wrap the statement in an onclick event handler as follows:

window.onclick = () => {
    window.open('https://vulnerable-website.com/login/sso');
}

This way, the window.open() method is only invoked when the user clicks somewhere on the page.

Tag

#chrome