Rust : Cookie: broad domain

Classification

OWASP Top 10 2013

A2-Broken Authentication and Session Management

OWASP Top 10 2017

A2-Broken Authentication A3-Sensitive Data Exposure

OWASP Top 10 2021

A2-Cryptographic Failures A4-Insecure Design A7-Identification and Authentication Failures

PCI DSS 4.0

6.2.4

HIPAA

§164.312 (e)(1)

Overview

Cookie domain is set broadly. Broad domain (for example, .example.com is unsafe, because in this case a vulnerability in one application could endanger other applications in the same domain.

Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.

References

OWASP Top 10 2017 A2-Broken Authentication
OWASP Top 10 2013-A5-Security Misconfiguration
Origin Cookies: Session Integrity for Web Applications (pdf)
CookieBuilder - RUST

LOW

Rust : Cookie: broad domain

Classification

Overview

References

DerScanner Severity Score

Do you want to fix Rust : Cookie: broad domain in your application?

See also

Rust : Buffer overflow

Rust : Empty salt

Rust : Hardcoded salt