Details
Alert ID 90033
Alert Type Passive
Status release
Risk Informational
CWE 565
WASC 15
Technologies Targeted All
Tags CWE-565
OWASP_2017_A06
OWASP_2021_A08
WSTG-V42-SESS-02
More Info Scan Rule Help

Summary

Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.

Solution

Always scope cookies to a FQDN (Fully Qualified Domain Name).

Other Info

The origin domain used for comparison was: subdomain.example.com name=value

References

Code

org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRule.java