logo

Loosely Scoped Cookie

  • Risk:

  • Informational

  • Type:
  • Passive
Summary
Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.
Solution
Always scope cookies to a FQDN (Fully Qualified Domain Name).
Other info
The origin domain used for comparison was: subdomain.example.com name=value
References

https://tools.ietf.org/html/rfc6265#section-4.1

https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html

https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies

Back <<