example.com, then only www.example.com will be able
to access it. For additional security, the domain property should simply be set to blank
("domain=") to ensure that only the setting server can access the cookie. Attackers
should check all cookies for the restrictiveness of the domain property, because if it is not
restrictive, an attacker will be able to steal the cookie through attacks launched from
other servers in the same domain. For example, consider the case of an attacker who
wants to steal the cookie of a user logged in to www.example.com and the domain property
is restricted only to the .example.com domain instead of www.example.com. If the
attacker is able to perform a XSS attack from forums.example.com or joes-pc.example
.com or any other system in the example.com domain, she will be able to steal a user??™s
cookie because any site from inside the example.com domain will be allowed to access
the cookie.
Path Property
The Path property of a cookie is used to further limit the scope of what applications on
a server are allowed to access a given cookie. Attackers will have to find a hole in the
specific application to obtain a user??™s cookie rather than using any application on the
server.
Pages:
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317