Pascal : Cookie: broad path

Classification

OWASP Top 10 2013

A2-Broken Authentication and Session Management

OWASP Top 10 2017

A2-Broken Authentication A3-Sensitive Data Exposure

OWASP Top 10 2021

A2-Cryptographic Failures A4-Insecure Design A7-Identification and Authentication Failures

OWASP ASVS

Session Management

PCI DSS 4.0

6.2.4

CWE

CWE-1028

Overview

Cookie path is set broadly. Broad path (for example, /) is insecure, because in this case the vulnerability in one application may endanger other applications in the same domain.

Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.

References

OWASP Top 10 2013-A5-Security Misconfiguration
Origin Cookies: Session Integrity for Web Applications (pdf)
OWASP Top 10 2017 A2-Broken Authentication
CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication

MEDIUM

Pascal : Cookie: broad path

Classification

Overview

References

DerScanner Severity Score

Do you want to fix Pascal : Cookie: broad path in your application?

See also

Pascal : Error handling: generic exception

Pascal : Undocumented feature: special account

Pascal : Weak hashing algorithm