Login

pgnair · 06-23-2023, 04:32 AM

Hi Team
A new vulnerability got in the VAPT. How can fix it please?
Thanks
Pramod

Cookie Overly Broad Path Detected

The cookie 'path' attribute signifies the URL or path for which the cookie is valid. If an overly broad path like root '/' is specified in the cookie then it is accessible through other applications on the same domain. Exposing the cookie to all web applications on the domain can lead to sensitive information disclosure like session identifier etc. and can cause one application to compromise another application.

pgnair · (This post was last modified: 06-28-2023, 05:44 AM by pgnair.)

(06-23-2023, 04:32 AM)pgnair Wrote: Hi Team
A new vulnerability got in the VAPT. How can fix it please?
Thanks
Pramod

Cookie Overly Broad Path Detected

The cookie 'path' attribute signifies the URL or path for which the cookie is valid. If an overly broad path like root '/' is specified in the cookie then it is accessible through other applications on the same domain. Exposing the cookie to all web applications on the domain can lead to sensitive information disclosure like session identifier etc. and can cause one application to compromise another application.

Hi Alex

Kindly advise how to fix it?

Currently below attributes are True and 'Same Site' property is set as ssoLax

HTTPOnly
RunCookieCheck
Secure
SessionCookies
Use Cookies

Thanks
Pramod

***Alexandre Machado*** · 06-28-2023, 09:05 AM

Is your application installed to respond to some domain wide request, like https://yourcompany.com ??

If so, the cookie must be using the root application path, otherwise there is no way to use it to the main URL address... are you sure these auditors know what they are doing?

pgnair · 06-30-2023, 09:41 AM

(06-28-2023, 09:05 AM)Alexandre Machado Wrote: Is your application installed to respond to some domain wide request, like https://yourcompany.com ??

If so, the cookie must be using the root application path, otherwise there is no way to use it to the main URL address... are you sure these auditors know what they are doing?

yes the URL is is https://collection.XXXXXX.com.
where is this path is setting?
I asked about this to the auditors and what they advised is we must do it in the application itself.

***Alexandre Machado*** · (This post was last modified: 06-30-2023, 11:29 PM by Alexandre Machado.)

The cookie path is automatically set to the address of the application path. There is no way to keep the application working on the root path of your domain if you don't keep the cookie.

You can try to disable the application cookie completely but you will need to use a unique URL (i.e. there will be a long unique identifier in your URL) and this may cause other problems. Certain applications won't work well without cookies.

These guys are certainly not developers and have no idea what they are asking.

***Alexandre Machado*** · (This post was last modified: 07-03-2023, 01:55 AM by Alexandre Machado.)

Ask these auditors if they use gmail themselves. Ask them if they think that gmail is "unsafe".

GMail also uses a root wide session cookie:

Not one, actually, but DOZENS. All using the root path, in multiple google domains.

Login
Username:
Password:	Lost Password?
	Remember me