Loosely Scoped Cookie

Risk:
Informational

Type:
Passive

CWE:
CWE-565

Summary: Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.

Solution: Always scope cookies to a FQDN (Fully Qualified Domain Name).

Other info: The origin domain used for comparison was: subdomain.example.com name=value

References

https://tools.ietf.org/html/rfc6265#section-4.1

https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html

https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies

Latest Security News

Top CVE List

Common Security Alerts

LowCSP: Notices
HighServer Side Code Injection - ASP Code Injection
MediumSession ID in URL Rewrite
HighLDAP Injection
InformationalUser Agent Fuzzer
MediumAuthentication Credentials Captured
InformationalInformation Disclosure - Suspicious Comments in XML via WebSocket
HighCross Site Scripting (Reflected)
HighCloud Metadata Potentially Exposed
HighSource Code Disclosure - CVE-2012-1823

Top CWE List

Free online web security scanner

Don't show website scan report rating on the leaderboard