HawkScan Test Info for Loosely Scoped Cookie

Loosely Scoped Cookie

Reference

Plugin Id: 90033 | CWE: 565

Resource

https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

Remediation

Use specific domain scoping: Set cookie domain attributes to specific FQDNs (Fully Qualified Domain Names) instead of wildcard domains.
Implement path restrictions: Use specific path attributes to limit cookie accessibility to required application paths only.
Review cookie policies: Audit all application cookies to ensure appropriate domain and path scoping.
Add security attributes: Include Secure, HttpOnly, and SameSite attributes to enhance cookie security.
Regular cookie audits: Periodically review cookie scoping to ensure it remains appropriate as applications evolve.

About

Loosely scoped cookies occur when cookie domain attributes are set too broadly, allowing cookies to be transmitted to parent domains or multiple subdomains. This overly permissive scoping can expose sensitive session data or authentication tokens to unintended domains within the same organization.

Risks

Medium Loosely scoped cookies can lead to session hijacking, cross-subdomain attacks, unauthorized access to sensitive authentication data, and potential compromise of user sessions across multiple applications within the same domain hierarchy.