DerScanner
Home / Vulnerability Database / PHP : Cookie: broad domain
PHP

PHP : Cookie: broad domain

Classification

OWASP Top 10 2013
A2-Broken Authentication and Session Management
OWASP Top 10 2017
A2-Broken AuthenticationA3-Sensitive Data Exposure
OWASP Top 10 2021
A2-Cryptographic FailuresA4-Insecure DesignA7-Identification and Authentication Failures
PCI DSS 4.0
6.2.4
HIPAA
§164.312 (e)(1)
CWE
CWE-1028

Overview

Cookie domain is set broadly. Broad domain (for example, .example.com is unsafe, because in this case a vulnerability in one application could endanger other applications in the same domain.

Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.

References

  1. OWASP Top 10 2017 A2-Broken Authentication
  2. OWASP Top 10 2013-A5-Security Misconfiguration
  3. Origin Cookies: Session Integrity for Web Applications (pdf)
  4. setcookie - php.net
  5. CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication
LOW

DerScanner Severity Score

Do you want to fix PHP : Cookie: broad domain in your application?

See also

PHP

PHP : Null salt

PHP

PHP : Empty password

PHP

PHP : Empty salt