WIP: Detect non-secure cookie usage & report cookie forcing vulnerability

Problem to solve

Cookie forcing is an attack that can be used to read and write cookies, even in HTTPS environments, if the cookies are not marked with secure.

We should identify if customers are using non-secure cookies as part of their application traffic and surface this for remidiation.

Intended users

Further details

Proposal

If app traffic contains non-secure cookies, then create an issue (or first-class vulnerability if available) and alert users that this behavior is happening so they can remediate it.

Question: Should this be in DAST rather than Defend? Probably it's not mutually exclusive.

Opinion: This generally is detected in DAST, however issues like this can be missed by DAST and detected via analysis of the HTTPS traffic (with a ModSecurity rule perhaps)

Permissions and Security

Documentation

Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Links / references

Slack discussion: https://gitlab.slack.com/archives/C0259241E/p1564562700325100

r