Vulnerability
Description
Cookies can be scoped by domain or path, but this vulnerability check only looks at domain scope. The domain scope applied to a cookie determines which domains can access it. For instance, cookies can be strictly scoped to a subdomain like www.example.com or loosely scoped to a parent domain like example.com. This means any subdomain of example.com can access the cookie. Loosely scoped cookies are commonly used in large applications.
Recommendation
Scope all cookies to a Fully Qualified Domain Name (FQDN) and ensure they cannot be accessed by unauthorized domains.
Written by
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
