Cookie Accessible for Subdomains

Impact: Informational

Description

If the Set-Cookie header contains the Domain attribute, browsers automatically send the cookie to any subdomains of the specified domain. This allows subdomains to access data in cookies.

Recommendation

Remove the Domain attribute from Set-Cookie attribute.

References

Mozilla: Using HTTP cookies
OWASP 2017-A6
OWASP 2021-A5
CWE-16

👉 You might also like:

Session Cookie Accessible for Subdomains - Vulnerability

PHP Version Disclosure - Vulnerability

X-Powered-By Header Found - Vulnerability

ASP.NET Version Disclosure - Vulnerability

Last updated on October 10, 2021

Cookie Accessible for Subdomains

Description

Recommendation

References

Use SmartScanner Free version to test for this issue