WIP: Detect non-secure cookie usage & report cookie forcing vulnerability
Problem to solve
Cookie forcing is an attack that can be used to read and write cookies, even in HTTPS environments, if the cookies are not marked with secure.
We should identify if customers are using non-secure cookies as part of their application traffic and surface this for remidiation.
If app traffic contains non-secure cookies, then create an issue (or first-class vulnerability if available) and alert users that this behavior is happening so they can remediate it.
Question: Should this be in DAST rather than Defend? Probably it's not mutually exclusive.
Permissions and Security
What does success look like, and how can we measure that?
What is the type of buyer?
Links / references
Slack discussion: https://gitlab.slack.com/archives/C0259241E/p1564562700325100
/label feature r