Cookie Scoped To Parent Domain

Cookie Scoped to Parent Domain

Overview of the Vulnerability

When a cookie is scoped to a parent domain instead of a specific host it allows any subdomain of that host to access the cookie, increasing the probability of data leakage. If the cookie contains a session token, it could be accessed by other subdomains. An attacker can leverage this misconfiguration to access data.

Business Impact

Cookies that are scoped to a parent domain can lead to reputational damage for the business due to a loss in confidence and trust by users.

Steps to Reproduce

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

2. Use a browser to navigate to: {{URL}}

3. Use Web Proxy to intercept the response

4. Observe that the cookie is scoped to the parent domain

Proof of Concept (PoC)

The screenshot(s) below demonstrates the misconfiguration:

{{screenshot}}

Recommendation(s)

The cookie should be scoped to the application specific domain name using the Set-Cookie directive. It is also best practice to include both the Secure and HTTPOnly flags. The following example shows the syntax and inclusion of the flags:

Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly]

For more information, please see:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

• https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html

• https://www.rfc-editor.org/rfc/rfc6265#section-4.1