Swift : Cookie: broad domain

Classification

OWASP Top 10 2013

A2-Broken Authentication and Session Management

OWASP Mobile Top 10 2016

M2-Insecure Data Storage

OWASP Top 10 2017

A2-Broken Authentication A3-Sensitive Data Exposure

OWASP Top 10 2021

A2-Cryptographic Failures A4-Insecure Design A7-Identification and Authentication Failures

PCI DSS 4.0

6.2.4

HIPAA

§164.312 (e)(1)

CWE

CWE-1028

Overview

Cookie domain is set broadly. Broad domain (e.g., .example.com) is insecure, because in this case the vulnerability in one application could endanger other applications in the same domain.

Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.

References

OWASP Top 10 2013-A5-Security Misconfiguration
Origin Cookies: Session Integrity for Web Applications (pdf)
Cookie security: overly broad domain
HTTPCookie domain Property
OWASP Top 10 2017 A2-Broken Authentication
CWE-1028: Broken Authentication

MEDIUM

Swift : Cookie: broad domain

Classification

Overview

References

DerScanner Severity Score

Do you want to fix Swift : Cookie: broad domain in your application?

See also

Swift : Nill password

Swift : Hardcoded salt

Swift : Undocumented feature: special account