| Details | |
|---|---|
| Alert ID | 90033 |
| Alert Type | Passive |
| Status | release |
| Risk | Informational |
| CWE | 565 |
| WASC | 15 |
| Technologies Targeted | All |
| Tags |
CWE-565 OWASP_2017_A06 OWASP_2021_A08 WSTG-V42-SESS-02 |
| More Info |
Scan Rule Help |
Summary
Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.
Solution
Always scope cookies to a FQDN (Fully Qualified Domain Name).Other Info
The origin domain used for comparison was: subdomain.example.com name=valueReferences
- https://tools.ietf.org/html/rfc6265#section-4.1
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html
- https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies