+- Atozed Forums (https://www.atozed.com/forums)
+-- Forum: Atozed Software Products (https://www.atozed.com/forums/forum-1.html)
+--- Forum: IntraWeb (https://www.atozed.com/forums/forum-3.html)
+---- Forum: English (https://www.atozed.com/forums/forum-16.html)
+----- Forum: IntraWeb General Discussion (https://www.atozed.com/forums/forum-4.html)
+----- Thread: Cookie Overly Broad Path Detected (/thread-3331.html)
Cookie Overly Broad Path Detected - pgnair - 06-23-2023
Hi Team
A new vulnerability got in the VAPT. How can fix it please?
Thanks
Pramod
Cookie Overly Broad Path Detected
The cookie 'path' attribute signifies the URL or path for which the cookie is valid. If an overly broad path like root '/' is specified in the cookie then it is accessible through other applications on the same domain. Exposing the cookie to all web applications on the domain can lead to sensitive information disclosure like session identifier etc. and can cause one application to compromise another application.
RE: Cookie Overly Broad Path Detected - pgnair - 06-27-2023
(06-23-2023, 04:32 AM)pgnair Wrote: Hi TeamHi Alex
A new vulnerability got in the VAPT. How can fix it please?
Thanks
Pramod
Cookie Overly Broad Path Detected
The cookie 'path' attribute signifies the URL or path for which the cookie is valid. If an overly broad path like root '/' is specified in the cookie then it is accessible through other applications on the same domain. Exposing the cookie to all web applications on the domain can lead to sensitive information disclosure like session identifier etc. and can cause one application to compromise another application.
Kindly advise how to fix it?
Currently below attributes are True and 'Same Site' property is set as ssoLax
HTTPOnly
RunCookieCheck
Secure
SessionCookies
Use Cookies
Thanks
Pramod
RE: Cookie Overly Broad Path Detected - Alexandre Machado - 06-28-2023
Is your application installed to respond to some domain wide request, like https://yourcompany.com ??
If so, the cookie must be using the root application path, otherwise there is no way to use it to the main URL address... are you sure these auditors know what they are doing?
RE: Cookie Overly Broad Path Detected - pgnair - 06-30-2023
(06-28-2023, 09:05 AM)Alexandre Machado Wrote: Is your application installed to respond to some domain wide request, like https://yourcompany.com ??
If so, the cookie must be using the root application path, otherwise there is no way to use it to the main URL address... are you sure these auditors know what they are doing?
yes the URL is is https://collection.XXXXXX.com.
where is this path is setting?
I asked about this to the auditors and what they advised is we must do it in the application itself.
RE: Cookie Overly Broad Path Detected - Alexandre Machado - 06-30-2023
The cookie path is automatically set to the address of the application path. There is no way to keep the application working on the root path of your domain if you don't keep the cookie.
You can try to disable the application cookie completely but you will need to use a unique URL (i.e. there will be a long unique identifier in your URL) and this may cause other problems. Certain applications won't work well without cookies.
These guys are certainly not developers and have no idea what they are asking.
RE: Cookie Overly Broad Path Detected - Alexandre Machado - 06-30-2023
Ask these auditors if they use gmail themselves. Ask them if they think that gmail is "unsafe".
GMail also uses a root wide session cookie:
[attachment=601]
Not one, actually, but DOZENS. All using the root path, in multiple google domains.