Cookie Scope

Cookie Scope Leak

The session cookie is set with `Domain=.example.com`, so it is sent to every subdomain including third-party-hosted apps.

CWE-539
Back to hub Reload scenario
Cookie audit 

  


      

    


    

      

        
Expected Findings

        
    
          
  • `Domain=.example.com` exposes the cookie to legacy.example.com and partner-hosted blog.example.com.
  • `HttpOnly` is set but `Path=/` lets the cookie travel everywhere.
  • `__Host-` cookies were considered but reverted to keep marketing pages logged in.
    • 
        

      


      

      

        
Signals

        
        

          
Set-Cookie

          
Set-Cookie: session=...; Domain=.example.com; Path=/; HttpOnly

        

        
      

    


    

    

      Developed by vibe-eval.com for validation and testing purposes only.