The cookie’s value can be read or written from all subdomains.

What can happen?

This widens the scope for XSS attacks as an XSS vulnerability on a subdomain can affect the cookies of another subdomain. See our article about XSS for more detailed description of the risks.

Remediation

example.com and sub.example.com can only share cookies if the domain is set in the Set-cookie header. The scope of the cookie is otherwise limited to the request host per default.

If the following header is sent on sub.example.com:

Set-Cookie: name=value

Then the cookie will not be included in requests to example.com. However, if you instead send the following header on sub.example.com:

Set-Cookie: name=value; domain=example.com

Then the cookie will be included in requests towards both sub.example.com and example.com.

As the default is to not set cookies as wildcard, just remove that part of the cookie header to fully remediate this issue. If instead the web application actually requires the cookie to be sent to every subdomain and main domain, then please mark it as an Accepted Risk and we will filter it out in future reports.

Resources