Configuration Management / Cookie Issued to Parent Domain

Web and API


Cookie issued to parent domain is a web application vulnerability in the configuration management category (CWE-20). The vulnerability occurs when a cookie is issued to a parent domain, allowing the cookie to be accessed in the parent domain or other subdomains. This type of cookie injection can be used to bypass authentication or to perform Cross-Site Scripting (XSS) attacks. According to the OWASP Testing Guide, in certain cases, the browser may be issuing cookies that are valid for the parent domain and for other subdomains, allowing for the exploitation of the vulnerability.


Cookie issued to parent domain is a high-risk vulnerability since it allows attackers to gain access to user sessions and bypass authentication, as well as perform XSS attacks. This type of attack can have a significant impact on the security of the system and its users, as attackers can gain access to sensitive data and perform malicious activities.


The best solution to this vulnerability is to ensure that cookies are only issued to the exact domain requested, and not to any parent domain. This can be done by setting the "domain" attribute to the exact domain requested. Additionally, it is recommended that all cookies be set with the "secure" attribute, to ensure that cookies can only be sent over secure connections.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.