Details
Alert Id 90033
Alert Type Passive Scan Rule
Status release
Risk
CWE
WASC

Summary

Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.

Solution

Always scope cookies to a FQDN (Fully Qualified Domain Name).

References

Code

org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRule.java