WIP: Detect non-secure cookie usage & report cookie forcing vulnerability
Problem to solve
Cookie forcing is an attack that can be used to read and write cookies, even in HTTPS environments, if the cookies are not marked with secure.
We should identify if customers are using non-secure cookies as part of their application traffic and surface this for remidiation.
Intended users
Further details
Proposal
If app traffic contains non-secure cookies, then create an issue (or first-class vulnerability if available) and alert users that this behavior is happening so they can remediate it.
Question: Should this be in DAST rather than Defend? Probably it's not mutually exclusive.
Opinion: This generally is detected in DAST, however issues like this can be missed by DAST and detected via analysis of the HTTPS traffic (with a ModSecurity rule perhaps)
Permissions and Security
Documentation
Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Links / references
Slack discussion: https://gitlab.slack.com/archives/C0259241E/p1564562700325100
r