Loosely Scoped Cookie
- Risk:
Informational
- Type:
- Passive
- CWE:
- CWE-565
- Summary
Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.
- Solution
Always scope cookies to a FQDN (Fully Qualified Domain Name).
- Other info
- The origin domain used for comparison was: subdomain.example.com name=value
- References
https://tools.ietf.org/html/rfc6265#section-4.1
https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies
Hackers exploit 34 zero-days on first day of Pwn2Own Ireland
Microsoft: Recent Windows updates cause login issues on some PCs
Russian hackers evolve malware pushed in "I am not a robot" captchas
Meta Rolls Out New Tools to Protect WhatsApp and Messenger Users from Scams
PolarEdge Targets Cisco, ASUS, QNAP, Synology Routers in Expanding Botnet Campaign
Microsoft fixes bug preventing users from opening classic Outlook
Windows 11 KB5070773 emergency update fixes Windows Recovery issues
Google Identifies Three New Russian Malware Families Created by COLDRIVER Hackers
Hackers Used Snappybee Malware and Citrix Flaw to Breach European Telecom Network
CVE-2025-61884 Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability
CVE-2025-33073 Microsoft Windows SMB Client Improper Access Control Vulnerability
CVE-2022-48503 Apple Multiple Products Unspecified Vulnerability
CVE-2025-54253 Adobe Experience Manager Forms Code Execution Vulnerability
CVE-2016-7836 SKYSEA Client View Improper Authentication Vulnerability
CVE-2025-6264 Rapid7 Velociraptor Incorrect Default Permissions Vulnerability
CVE-2025-59230 Microsoft Windows Improper Access Control Vulnerability
CVE-2025-24990 Microsoft Windows Untrusted Pointer Dereference Vulnerability
Free online web security scanner