Python : Cookie: broad domain

Classification

OWASP Top 10 2013

A2-Broken Authentication and Session Management

OWASP Mobile Top 10 2016

M2-Insecure Data Storage

OWASP Top 10 2017

A2-Broken Authentication A3-Sensitive Data Exposure

OWASP Top 10 2021

A2-Cryptographic Failures A4-Insecure Design A7-Identification and Authentication Failures

PCI DSS 4.0

6.2.4

HIPAA

§164.312 (e)(1)

CWE

CWE-1028

Overview

Cookie domain is set broadly. Broad domain (e.g., .example.com) is insecure, because in this case the vulnerability in one application could endanger other applications in the same domain.

Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.

References

OWASP Top 10 2013-A5-Security Misconfiguration
Origin Cookies: Session Integrity for Web Applications (pdf)
OWASP Top 10 2017 A2-Broken Authentication
CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication

MEDIUM

Python : Cookie: broad domain

Classification

Overview

References

DerScanner Severity Score

Do you want to fix Python : Cookie: broad domain in your application?

See also

Python : Debug mode on

Python : Web3: Deprecated method

Python : Unsafe padding