While bug hunting, I found a website that sets its session cookie's domain like sub1.mydomain.com. But I also found an XSS in sub2.sub1.mydomain.com that allows me to create that session cookie with domain .sub1.mydomain.com (leading dot) and the application accepted the cookie as valid.
I understand that on client's side, there is nothing that can be done, browsers will accept the second cookie as valid. The question is how web applications could reject the second cookie server side?
Aucun commentaire:
Enregistrer un commentaire