Cookie security: overly broad domain¶
ID: cs/web/broad-cookie-domainKind: problemSecurity severity: 9.3Severity: warningPrecision: highTags: - security - external/cwe/cwe-287Query suites: - csharp-code-scanning.qls - csharp-security-extended.qls - csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
This rule finds cookies with an overly broad domain. Cookies with an overly broad domain, such as “.mybank.com”, can be accessed by all web applications deployed on this domain and its sub-domains. A cookie with sensitive data, but with too broad a domain, could hence be read and tampered with by a less secure and untrusted application.
Recommendation¶
Precisely define the domain of the web application for which this cookie is valid.
Example¶
In this examplecookie1 is accessible from online-bank.com.cookie2 is accessible from ebanking.online-bank.com and any subdomains of ebanking.online-bank.com.
classCookieWithOverlyBroadDomain{staticpublicvoidAddCookie(){HttpCookiecookie1=newHttpCookie("sessionID");cookie1.Domain="online-bank.com";HttpCookiecookie2=newHttpCookie("sessionID");cookie2.Domain=".ebanking.online-bank.com";}}
In the following examplecookie is only accessible from ebanking.online-bank.com which is much more secure.
classCookieWithOverlyBroadDomainFix{staticpublicvoidAddCookie(){HttpCookiecookie=newHttpCookie("sessionID");cookie.Domain="ebanking.online-bank.com";}}
References¶
Common Weakness Enumeration:CWE-287.