Vulnerability issues: Insecure Path Attribute

[mukulk2020]

Stratos Version

Stratos 4.4.0

Frontend Deployment type

• Cloud Foundry Application (cf push)
• Kubernetes, using a helm chart
• Docker, single container deploying all components
• npm run start
• Other (please specify below)

Backend (Jet Stream) Deployment type

• Cloud Foundry Application (cf push)
• Kubernetes, using a helm chart
• Docker, single container deploying all components
• Other (please specify below)

Expected behaviour

PATH should be set to "path=/application name/" and not "path=/".
If the path attribute is set to the web server root "/"directory, then the application along with the hosting web server becomes vulnerable to multiple attacks.

Actual behaviour

It is showing path=/ . and there is no option to change this .

Steps to reproduce the behavior

Log output covering before error and any error statements

Insert log hereCopy

Detailed Description

The URL path that the cookie is valid for can be specified. If the domain and path match, then the cookie will be sent in the request. Just as with the domain attribute, if the path attribute is set too loosely, then it could leave the application vulnerable to attacks by other applications on the same server. For example, if the path attribute was set to the web server root "/", then the application cookies will be sent toevery application within the same domain.

Context

Possible Implementation